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Army  Science  Conference. 

J.S.  Baras,  A.A.  Cardenas  and  V.  Ramezani,  “On-Line  Detection  of  Distributed  Attacks  from 
Space-Time  Network  Flow  Patterns”,  Proceedings  of  23rd  Army  Science  Conference,  Orlando, 
Florida,  December  2-5,  2002. 

Best  Paper  Award,  WiSe  2004,  Philadelphia,  Pennsylvania,  October  1,  2004. 

G.  Theodorakopoulos  and  J.  S.  Baras,  “Trust  Evaluation  in  Ad-Hoc  Networks”,  Proceedings  of  the 
2004  ACM  Workshop  on  Wireless  Security  (WiSe),  pp.  1-10,  Philadelphia,  Pennsylvania,  October 
1,2004. 


2007,  Leonard  G.  Abraham  Prize  in  Communication  Systems,  IEEE  Communication  Society 
(ComSoc),  presented  at  the  International  Conference  on  Communications  (ICC2007),  for  the  paper 


“On  Trust  Models  and  Trust  Evaluation  Metrics  for  Ad  Hoc  Networks”,  Journal  of  Selected  Areas 
in  Communications,  Security  in  Wireless  Ad-Hoc  Networks,  Vol.  24,  Number  2,  pp.  318-328, 
February  2006. 


(3)  Report  of  Inventions 

J.  Song,  W.  Trappe,  R.  Poovendran  and  K.J.R.  Liu,  “A  Dynamic  Key  Distribution  Scheme  Using 
Data  Embedding  for  Secure  Multimedia  Multicast,”  U.S.  and  international  patent  application  filed 
June  2001,  PCT/USol/19715. 

Laurent  Eschenauer  and  Virgil  Gligor,  "Key-Management  Scheme  and  Apparatus  for  Distributed 
Sensor  Networks,"  US  Patent  Application,  submitted  by  the  University  of  Maryland  (IS-2003-065), 
September  2003. 

J.S.  Baras,  P.  Yu,  and  B.  Sadler,  “Wireless  Communication  Method  and  System  for  Transmission 
Authentication  at  the  Physical  Layer",  Invention  Disclosure  Number:  IS-2007-079  Patent  Pending 
(filed  August  2007). 


(4)  Scientific  Progress  and  Accomplishments 

Our  research  addressed  the  overall  theme  of  the  program,  which  is  the  development  of  innovative 
distributed  methods  and  algorithms  that  are  designed  to  work  well  in  the  demanding  wireless  mobile 
communications  environment.  The  overall  research  program  is  comprised  of  theoretical  and 
experimental  investigations  of  the  fundamental  principles  that  should  govern  information  assurance 
systems  for  large  heterogeneous  wireless  networks,  with  changing  topology  and  connectivity.  Our 
primary  interest  is  in  mobile  wireless  networks  with:  (i)  high  degree  of  self-organization;  (ii)  great 
variety  of  user  intermittent  connectivity  profiles;  (iii)  severe  constraints  on  communication  link 
bandwidth,  node  processing  capabilities,  intermittent  connectivity,  and  energy  consumption 
constraints.  When  possible,  we  have  tried  to  take  advantage  of  the  special  nature  of  wireless  networks 
to  improve  assurance  and  security,  while  keeping  the  disadvantages  inherent  in  wireless  media  to  a 
minimum.  As  such  our  key  ideas  are  often  counter-intuitive.  We  developed  and  used  sophisticated 
analytical  methods  supported  by  selective  experimentation  and  testbed  validations  to  demonstrate  and 
support  our  claims  and  results.  Our  goal  was  to  design  ‘robust’  information  assurance  systems,  i.e. 
systems  capable  to  maintain  some  degree  of  assurance  even  under  high  levels  of  noise  and  node 
capture  or  destruction.  The  research  program  was  organized  around  three  interrelated  thrusts: 

(1)  Distributed  Autonomous  Immune  Systems 

(2)  Assurance  Via  Distributed  Physical  Layer  Signal  Processing  and  Routing 

(3)  Distributed  Computing  Formalisms  and  Systems 

During  the  project  reporting  period  we  achieved  considerable  integration  between  the  three  thrusts,  as 
well  as  among  the  projects  within  each  thrust  and  across  thrusts.  This  was  accomplished  via 
consolidation  in  some  projects  or  via  partial  re-direction  and  re-focusing  in  others.  We  held  frequent 
meetings  between  various  investigators  and  established  and  run  a  monthly  meeting  between  all  student 
researchers  in  the  project.  We  also  collected  examples  of  attacks  and  intrusions,  available  data,  and 
made  them  available  to  all  researchers  so  as  to  increase  knowledge  of  the  practical  aspects  of  the 
problem,  especially  within  the  wireless  environment.  Substantial  foundational  work  has  been  done  by 
our  research  team  in  this  critical  research  area  (intrusions  and  their  detection  in  mobile  wireless 
networks). 


Our  research  on  methods,  algorithms,  modeling  and  analytical  methods  was  supported  by: 

•  Mobile  wireless  network  simulation  testbeds 

•  Real  experimentation  with  mobile  wireless  network  testbeds 

Our  research  investigated  the  following  problems  in  an  integrated  manner: 

•  Automated  vulnerability  assessment 

•  Automated  compromised  subnetwork  containment 

•  Pro-active  intrusion  and  anomalous  behavior  detection 

•  Automated  classification  of  intrusions  and  anomalous  behavior  patterns 

•  Automated  and  distributed  storage  and  distribution  of  intrusion  and  anomalous  behavior 
patterns 

•  Autonomous  deployment  of  passive/active  methods  for  intrusion  defense 

•  Autonomous  deployment  of  schemes  assuring  continuous  operation  at  acceptable  assurance 
levels 

•  Trade-off  analysis  between  detection  perfonnance  and  false  positives  vs  complexity  and  speed 
of  response 

•  Robustness  and  resilience  of  the  proposed  assurance  schemes 

•  Integration  of  transmission  and  traffic  flow  security  with  key  generation/management  and 
authentication 

This  integration  was  achieved  by  innovative  ideas  and  schemes  that  focused  on  the  following 
principles:  Distributed  automatic  classification  of  intrusions  in  real-time;  Automatic  generation  of 
responses  for  containing  and  nullifying  an  intrusion  faster  than  it  spreads;  Attacking  intrusions  close  to 
the  ‘network  edge’;  Utilization  of  synergy  between  physical  layer  and  network  layer  assurance 
schemes;  Hierarchical  methods  and  schemes  in  both  the  physical  and  logical  domain  for  efficiency  and 
scalability.  Furthermore  we  have  adopted  a  “systems  view”  of  security  and  information  assurance;  that 
is  security  and  infonnation  assurance  belongs  to  network  management  and  control. 

Major  motivation  for  our  methods  and  ideas  comes  from:  the  operational  principles  of  biological 
immune  systems;  recent  successful  development  of  ‘digital  immune  systems’  for  the  protection  of 
commercial  networks  from  virus  attacks;  recent  advances  in  complex  waveform  generation  which  can 
be  profitably  utilized  to  secure  wireless  communications  in  a  variety  of  yet  unexplored  ways. 

The  research  effort  produced  the  following  working  or  prototype  security  and  software  tools,  models 
or  products  or  other  technology  transition  results: 

(a)  Distributed  detection  of  spreading  worms  and  viruses 

(b)  On-line  detection  of  buffer  overflow-based  attacks  and  intrusions 

(c)  Detection  of  wormhole  attacks  in  MANET 

(d)  Software  for  IDS  evaluation  and  costing 

During  the  reporting  period  we  also  established  “significant”  working  engagements  with  government 
or  industry  transitioning  artifacts,  test  &  evaluations,  etc..  These  included  close  collaboration  and 
transition  with  ARL  and  CERDEC  engineers  on: 

(e)  Detection  of  wormhole  attacks  on  MANET 

(f)  Detection  of  spreading  viruses 

(g)  Evaluation  of  intrusion  detection  systems 

(h)  Novel  authentication  scheme  based  on  the  characteristics  of  EM  emissions  from 
transmitters 


In  addition  we  made  progress  towards  the  following  commercial  product  results: 

(a)  Transitioned  security  protocols  for  multicast  communications  over  satellites  to  Lockheed 
Martin  and  Hughes  Network  Systems. 

(b)  Novel  method  for  IDS  evaluation  and  associated  software. 

Finally,  the  most  significant  (in  terms  of  innovative  ideas)  results  were: 

(a)  Established  rigorous  results  for  Network  Tomography  and  applied  them  to  intrusion  detection. 

(b)  Established  novel  ways  for  measuring,  evaluating,  and  analyzing  trust  dynamics  in  MANET 
and  made  significant  connections  with  statistical  physics  methods. 

(c)  Established  new  trend  in  key  construction  for  security  problems  in  wireless  sensor  networks. 


Thrust  1: 

Distributed  Autonomous  Immune  Systems 

In  this  thrust  we  are  investigating  the  following  topics: 

•  Fast  innate  and  adaptive  immune  systems 

•  Group  authentication  and  multiparty  key  protocols  in  dynamic  groups 

We  provide  below  descriptions  of  the  problems,  approach  undertaken,  methodology  developed  and 
used  and  results  obtained  in  each  project  and  effort  undertaken  during  this  research  project’s  reporting 
period. 


On-line  Adaptive  IDS  Scheme  for  Detection  of  Unknown  Network  Attacks  Using  Probabilistic  Models 
and  Logic 

The  main  focus  was  to  design  a  scheme  that  can  incorporate  both  misuse  and  anomaly  detection  and 
hence  be  used  to  detect  known  network  attacks  (instances  of  which  might  not  have  been  seen  before), 
but  more  importantly,  unknown  network  attacks.  Since  misuse  detection  introduces  false  negatives 
and  anomaly  detection  introduces  false  positives,  we  need  to  be  able  to  find  a  good  trade-off.  The 
idea  is  to  set  a  desirable  detection  rate  (which,  in  our  case  was  100%),  and  then  minimize  the  false 
positive  rate  by  filtering  false  positives  through  stages. 

It  is  important  to  emphasize  that  this  scheme’s  goal  is  to  get  as  good  results  as  possible  with  limited 
information.  This  means  that  we  do  not  know  signatures  of  all  the  attacks.  If  we  new  that,  we  could 
just  use  signature  detection.  By  incorporating  probabilistic  models  and  the  administrator’s  knowledge 
about  possible  vulnerabilities,  we  can  achieve  very  optimistic  results.  There  are  five  stages  in  our 
scheme:  Initialization,  Parallel  testing  and  training,  Logic,  Verification  and  Adaptive  phase. 

The  process  is  as  follows:  Partition  the  probabilistic  space  into  normal  behavior,  known  attacks  and 
(everything  else  is)  unknown  attacks.  This  is  done  through  offsetting  log-likelihoods  of  each  model 
space.  In  the  Parallel  testing  and  training  phase,  we  do  trace  detection  and  classification  (nonnal, 
known  attack,  unknown  attack)  and  if  the  classified  sequence  is  not  normal  we  go  to  the  Logic  phase 
(note  that  in  this  phase  we  also  train  new  HMM  with  the  incoming  sequence  for  possible  future  use  - 
in  the  Verification  phase).  In  the  Logic  phase,  we  use  the  administrator’s  knowledge  databases 
containing  possibly  malicious  events  -  sequences  of  (in  our  case)  system  calls.  We  scan  the  trace  for 
those  events  (sequentially!).  In  case  there  are  none,  the  decision  is  made  that  the  trace  is  normal,  so  the 


HMM  model  of  the  trace  (created  in  the  previous  phase)  is  forwarded  to  the  Adaptive  phase.  In  case 
there  is  a  malicious  event  (or  several  events,  depending  of  how  many  of  them  are  needed  to  raise  an 
alarm),  the  execution  goes  to  the  next,  Verification  phase.  This  phase  does  probabilistic  testing 
(analog  to  the  probabilistic  testing  in  the  beginning).  Since  all  the  attacks  we  used  in  our  simulations 
belong  to  the  same  group  of  attacks  (Buffer  Overflow  attacks),  this  represents  the  worst-case  scenario 
for  the  scheme,  since  the  attacks  tend  to  look  alike.  With  100%  detection  rate,  we  were  also  able  to 
achieve  a  very  good  false  positive  rate  -  0.08%. 


On-Line  Distributed  Detection  of  Self-Propagating  Code 

Worms  are  programs  that  self-propagate  across  a  network  by  exploiting  security  flaws  in  widely-used 
services  offered  by  vulnerable  computers  in  the  network.  Worms  are  popular  attacks  because  no  other 
mechanism  allows  for  the  rapid  and  widespread  distribution  of  malicious  code,  with  virtually  no  way 
to  trace  the  attacker.  It  has  been  stated  that  the  spread  of  the  theoretical  flash  or  Warhol  worms  will  be 
so  fast  that  no  human-driven  communication  will  suffice  for  adequate  identification  of  an  outbreak 
before  nearly  complete  infection  is  achieved.  The  appearance  of  such  a  worm  was  voted  the  greatest 
security  threat.  There  is  therefore  great  need  to  develop  automated  mechanisms  for  detecting  wonns 
based  on  their  traffic  patterns.  In  our  work  we  completed  the  development  and  evaluation  of  such 
algorithms.  In  our  research  we  focused  on  the  fact  that  the  self  propagating  code  will  try  to  use  specific 
vulnerabilities  that  can  be  identified  with  certain  port  numbers.  So  we  used  as  the  traffic  monitoring 
variable  the  connection  attempts  (probes)  to  a  given  TCP/UDP  port  number(s).  We  also  assumed  most 
of  the  times  a  probability  distribution  on  the  traffic  observations.  So  in  our  framework  we  assume  that 
there  is  a  baseline  of  connections  to  the  given  monitored  port  in  all  sensors  (computers)  of  the  network. 
The  observations  can  be  made  at  different  participating  nodes  enforcing  policies  for  blocking  self- 
propagating  code  once  it  is  detected.  We  explored  the  effect  of  aggregation  from  distributed  sensors. 
This  approach  is  motivated  by  the  current  infrastructure  of  distributed  Intrusion  Detection  Systems 
such  as  myNetwatchman,  Dshield  and  Symantec's  DeepSight  Threat  Management  System. 

We  developed  a  novel  formulation  of  these  problems  using  change  detection  as  the  foundation  of  our 
approach.  We  developed  methods  that  are  valid  without  the  standard  i.i.d.  assumption  on  the 
observations  after  the  change,  which  is  not  true  because  each  infected  host  will  try  in  general  to  scan 
the  same  number  of  hosts  in  a  given  interval  of  time,  and  as  more  and  more  hosts  become  infected  the 
observation  data  volume  will  increase  fast  with  time.  We  have  developed,  implemented,  simulated  and 
evaluated  a  variety  of  methods  using  our  framework.  These  include  detection  of  a  change  in  the  mean, 
change  detection  in  distributed  sensor  systems,  CUSUM  of  aggregated  traffic,  exponential  signal 
detection  in  noise,  exponential  change  in  the  mean,  nonparametric  regression  detection  (which  allows 
situations  where  the  number  of  probes  seen  exhibits  long  range  dependence  and  multifractal  behavior, 
and  new  fully  nonparametric  algorithms  in  order  to  deal  with  some  of  the  more  complicated  problems, 
in  particular  those  where  no  clear  mean  can  be  established.  We  developed  algorithms  based  on  the 
sequential  probability  ratio  test  (SPRT),  where  the  goal  is  to  optimize  a  hypothesis  testing  problem 
given  a  trade-off  between  the  probability  of  errors  and  the  observation  time.  We  also  formulated  these 
problems  as  quickest  change  detection  problems,  where  the  trade-off  is  between  the  delay  of  detection 
and  the  false  alarm  rate.  The  methodologies  we  used  to  analyze  these  problems  proceed  along  two 
main  ideas:  developing  generalized  likelihood  ratio  (GLR)  algorithms  for  on-line  algorithms; 
developing  filter  bank  algorithms  (using  HMMs).  We  also  investigated  the  development  of  robust  non¬ 
parametric  algorithms  using  cumulative  sum  (CUSUM)  and  Girshik-Rubin-Shiryaev  (GRSh)  statistics. 
In  sequential  versions  of  the  problem  the  sequential  probability  ratio  test  (SPRT)  was  used. 


We  performed  extensive  analytic  and  experimental  (based  on  synthetic  networks  and  attack  data) 
performance  evaluation  of  the  various  schemes  we  developed.  Our  evaluation  results  seem  to  strongly 
suggest  that  in  scale-free  networks  a  very  small  set  of  the  highly  connected  nodes  is  sufficient  for 
detection  and  aggregation  only  improves  the  performance  of  the  nonparametric  statistics.  If  we  select 
sensors  at  random  or  if  we  monitor  a  random  network  then  aggregation  is  very  important  for  detection. 
We  also  developed  and  evaluated  collaborative  distributed  algorithms  for  these  worm  detection 
problems. 


On-Line  Distributed  Detection  of  Distributed  Denial  of  Service  Attacks 

A  denial  of  service  attack  (DoS)  can  be  defined  as  an  attack  designed  to  disrupt  or  completely  deny 
legitimate  users'  access  to  networks,  servers,  services  or  other  resources.  The  most  common  DoS  attack 
involves  sending  a  large  number  of  packets  to  a  destination  causing  excessive  amounts  of  network 
endpoint  bandwidth  to  be  consumed  and  (or)  cpu  processing  rate  at  the  destination.  In  a  distributed 
denial  of  service  (DDoS)  typically  an  attacker  compromises  a  set  of  Internet  hosts  (using  manual  or 
semiautomated  methods  like  a  worm)  and  installs  a  small  attack  daemon  on  each  host,  producing  a 
group  of  "zombies".  There  are  various  techniques  and  ideas  for  mitigation  of  denial  of  service  attacks 
that  require  the  identification  of  the  routers  participating  (involuntarily)  in  the  attack.  Most  of  these 
techniques  consume  a  significant  amount  of  router  resources  so  it  is  advisable  to  use  them  only  when 
needed.  A  reasonable  assumption  for  transit  networks  carrying  a  lot  of  traffic  which  cannot  be 
analyzed  at  line  rate,  is  that  routers  do  not  keep  the  number  of  packets  to  a  specific  destination,  as  this 
might  be  too  expensive  during  operation.  Thus  we  are  interested  only  in  monitoring  passively  the 
network. 

We  completed  a  novel  formulation  and  approach  to  the  problem  of  detecting  when  a  distributed  denial 
of  service  is  taking  place  in  one  sub-network  of  a  transit  (core)  network  comprised  only  on  routers.  We 
assumed  the  transit  network  itself  is  not  the  target  of  the  attack,  but  it  is  being  used  by  the  attack  to 
reach  the  victim.  We  developed  a  novel  formulation  of  the  problem  as  sequential  space-time  change 
detection  on  a  graph.  The  mathematical  techniques  we  use  for  detecting  an  attack  are  thus  based  on 
change  detection  theory.  In  a  distributed  environment  a  small  change  in  local  nodes  can  be  correlated 
with  the  state  at  different  nodes  to  provide  a  global  view  and  early  warning  about  the  state  of  the 
network.  We  developed  and  applied  parametric  and  nonparametric  change  detection  algorithms  to  the 
problem  of  detecting  changes  in  the  “direction”  of  traffic  flow.  We  investigated  also  the  quickest 
detection  problem  when  the  attack  is  distributed  and  coordinated  from  several  nodes  against  a  targeted 
one.  We  developed  and  used  a  “directionality  framework”,  which  gives  us  a  way  to  compute  the 
severity  and  directionality  of  the  change. 

One  of  the  main  advantages  in  having  several  nodes  under  monitoring  is  that  we  can  perform  a 
correlation  of  the  statistics  between  the  different  nodes  in  order  to  decrease  the  detection  delay  given  a 
fixed  false  alarm  rate  probability.  The  alann  correlation  can  be  perfonned  by  several  methods.  We 
developed  and  evaluated  a  simple  algorithm  that  only  requires  the  knowledge  of  the  routing  tables  for 
the  nodes  being  monitored.  Selecting  which  statistics  to  correlate  (add)  is  a  key  issue.  Our  algorithm 
not  only  can  detect  the  attack  (depending  on  the  new  correlation  threshold),  but  also  it  can  diminish  the 
impact  of  the  false  alarm  originating  at  some  node.  However  another  important  conclusion  is  that 
without  the  need  to  extract  or  store  header  information  from  the  packets  transmitted  through  the 
network,  we  are  able  to  infer  (from  the  intersection  of  the  two  routing  tables  for  the  “winning” 
correlated  statistic  of  the  links)  the  “best”  possible  targets  (estimated). 


Evaluation  of  Classifiers  for  Security  Applications 


We  focused  on  the  emergent  behavior  of  networks  with  no  online  central  authority,  in  the  presence  of 
nodes  that  do  not  follow  the  agreed  protocols.  We  call  the  entity  controlling  these  misbehaving  nodes 
the  adversary.  We  also  distinguish  between  two  main  types  of  adversaries:  attackers  (also  called 
malicious  adversaries  or  Intruders,  and  selfish  users.  The  objective  of  an  attacker  is  to  disrupt  the 
network  operation,  or  violate  some  other  security  property  of  the  network.  The  goal  of  selfish  users  is 
to  obtain  a  better  service  from  the  network  at  the  expense  of  honest  participants. 

Consider  a  company  that,  in  an  effort  to  improve  its  information  technology  security  infrastructure, 
wants  to  purchase  either  intrusion  detector  1  (IDS  1)  or  intrusion  detector  2  ( IDS2 ).  Furthermore, 
suppose  that  the  algorithms  used  by  each  IDS  are  kept  private  and  therefore  the  only  way  to  determine 
the  perfonnance  of  each  IDS  (unless  some  reverse  engineering  is  done)  is  through  empirical  tests 
determining  how  many  intrusions  are  detected  by  each  scheme  while  providing  an  acceptable  level  of 
false  alarms  Suppose  these  tests  show  with  high  confidence  that  IDS  1  detects  one-tenth  more  attacks 
than  IDS2  but  at  the  cost  of  producing  one  hundred  times  more  false  alarms.  The  company  needs  to 
decide  based  on  these  estimates,  which  IDS  will  provide  the  best  return  of  investment  for  their  needs 
and  their  operational  environment.  This  general  problem  is  more  concisely  stated  as  the  intrusion 
detection  evaluation  problem,  and  its  solution  usually  depends  on  several  factors.  The  most  basic  of 
these  factors  are  the  false  alarm  rate  and  the  detection  rate,  and  their  tradeoff  can  be  intuitively 
analyzed  with  the  help  of  the  receiver  operating  characteristic  (ROC)  curve.  However,  the  infonnation 
provided  by  the  detection  rate  and  the  false  alann  rate  alone  might  not  be  enough  to  provide  a  good 
evaluation  of  the  performance  of  an  IDS.  Therefore,  the  evaluation  metrics  need  to  consider  the 
environment  the  IDS  is  going  to  operate  in,  such  as  the  maintenance  costs  and  the  hostility  of  the 
operating  environment  (the  likelihood  of  an  attack).  In  an  effort  to  provide  such  an  evaluation  method, 
several  perfonnance  metrics  such  as  the  Bayesian  detection  rate,  expected  cost,  sensitivity  and 
intrusion  detection  capability,  have  been  proposed  in  the  literature. 

Yet  despite  the  fact  that  each  of  these  perfonnance  metrics  makes  their  own  contribution  to  the 
analysis  of  intrusion  detection  systems,  they  are  rarely  applied  in  the  literature  when  proposing  a  new 
IDS.  It  is  our  belief  that  the  lack  of  widespread  adoption  of  these  metrics  stems  from  two  main  reasons. 
Firstly,  each  metric  is  proposed  in  a  different  framework  (e.g.  infonnation  theory,  decision  theory, 
cryptography  etc.)  and  in  a  seemingly  ad  hoc  manner.  Therefore  an  objective  comparison  between  the 
metrics  is  very  difficult.  The  second  reason  is  that  the  proposed  metrics  usually  assume  the  knowledge 
of  some  uncertain  parameters  like  the  likelihood  of  an  attack,  or  the  costs  of  false  alarms  and  missed 
detections.  Moreover,  these  uncertain  parameters  can  also  change  during  the  operation  of  an  IDS. 
Therefore  the  evaluation  of  an  IDS  under  some  (wrongly)  estimated  parameters  might  not  be  of  much 
value. 

More  importantly,  there  does  not  exist  a  security  model  for  the  evaluation  of  intrusion  detection 
systems.  Several  researchers  have  pointed  out  the  need  to  include  the  resistance  against  attacks  as  part 
of  the  evaluation  of  an  IDS.  However,  the  traditional  evaluation  metrics  are  based  on  ideas  mainly 
developed  for  nonsecurity  related  fields  and  therefore,  they  do  not  take  into  account  the  role  of  an 
adversary  and  the  evaluation  of  the  system  against  this  adversary.  In  particular,  it  is  important  to 
realize  that  when  we  borrow  tools  from  other  fields,  they  come  with  a  set  of  assumptions  that  might 
not  hold  in  an  adversarial  setting,  because  the  first  thing  that  the  intruder  will  do  is  violate  the  sets  of 
assumptions  that  the  IDS  is  relying  on  for  proper  operation. 


We  introduced  and  developed  a  framework  for  the  evaluation  of  IDSs  in  order  to  address  these 
concerns  and  problems..  In  the  first  place,  we  identified  the  intrusion  detection  evaluation  problem  as  a 
multi-criteria  optimization  problem.  This  framework  let  us  compare  several  of  the  previously  proposed 
metrics  in  a  unified  manner.  To  see  this,  we  recall  that  there  are  in  general  two  ways  to  solve  a  multi¬ 
criteria  optimization  problem.  The  first  approach  is  to  combine  the  criteria  to  be  optimized  in  a  single 
optimization  problem.  We  showed  how  the  intrusion  detection  capability,  the  expected  cost  and  the 
sensitivity  metrics  all  fall  into  this  category.  The  second  approach  to  solve  a  multicriteria  optimization 
problem  is  to  evaluate  a  tradeoff  curve.  We  showed  how  the  Bayesian  rates  and  the  ROC  curve 
analysis  are  examples  of  this  approach. 

To  address  the  uncertainty  of  the  parameters  assumed  in  each  of  the  metrics,  we  developed  a  graphical 
approach  that  allows  the  comparison  of  the  IDS  metrics  for  a  wide  range  of  uncertain  parameters.  For 
the  single  optimization  problem  we  showed  how  the  concept  of  isolines  can  capture  in  a  single  value 
(the  slope  of  the  isoline)  the  uncertainties  like  the  likelihood  of  an  attack  and  the  operational  costs  of 
the  IDS.  For  the  tradeoff  curve  approach,  we  introduced  a  new  tradeoff  curve  we  call  the  intrusion 
detector  operating  characteristic  (IDOC).  We  believe  the  IDOC  curve  combines  in  a  single  graph  all 
the  relevant  (and  intuitive)  parameters  that  affect  the  practical  performance  of  an  IDS. 

We  also  introduced  a  robust  evaluation  approach  in  order  to  deal  with  the  adversarial  environment  the 
IDS  is  deployed  in.  In  particular,  we  did  not  want  to  find  the  best  performing  IDS  on  average,  but  the 
IDS  that  performs  the  best  under  the  worst  type  of  attacks.  To  that  end  we  extended  our  graphical 
approach  to  model  the  attacks  against  an  IDS.  In  particular,  we  showed  how  to  find  the  best 
performing  IDS  under  the  worst  type  of  attacks.  This  framework  allows  us  to  reason  about  the  security 
of  the  IDS  evaluation  and  the  proposed  metric  against  adaptive  adversaries.  In  an  effort  to  make  this 
evaluation  framework  accessible  to  other  researchers,  we  started  the  development  of  a  software 
application,  available  at  our  web  site,  to  implement  the  graphical  approach  for  the  expected  cost  and 
our  new  IDOC  analysis  curves.  We  hope  this  tool  can  grow  to  become  a  valuable  resource  for  research 
in  intrusion  detection. 


Detection  of  Attacks  Against  the  MAC  Protocol  in  Wireless  Networks 

Selfish  and  malicious  behavior  at  the  MAC  layer  can  have  devastating  side  effects  on  the  perfonnance 
of  wireless  networks,  similar  to  the  effects  of  DoS  attacks.  Several  important  challenges  arise  from 
these  problems.  The  most  important  one  is  detecting  backoff  manipulation  by  selfish  or  malicious 
attacker  within  a  given  time  frame,  minimizing  the  impact  of  the  attack.  We  considered  two  types  of 
attackers:  brute  force  and  intelligent  attackers.  The  brute  force  attacker  does  not  have  a  predetermined 
strategy  and  can  be  detected  by  observing  a  sequence  of  backoffs  by  finding  a  mean  value  of  backoffs 
during  a  specified  time  frame.  Detecting  an  intelligent  attacker,  on  the  other  hand,  is  a  more 
challenging  task  since  the  attacker  knows  the  strategy  of  the  ID  system  and  attempts  to  minimize  the 
probability  of  detection  by  adjusting  his  backoffs  to  the  value  that  is  below  the  threshold  of  an  ID 
system.  Due  to  the  random  choice  of  backoffs,  it  is  difficult  to  detect  whether  the  node  intentionally 
chose  the  small  value  or  not.  If  the  system  threshold  is  set  too  low,  it  can  lead  to  high  number  of  false 
positives.  In  our  work  we  focused  on  detection  of  the  manipulation  of  the  backoff  mechanism  of  the 
IEEE  802.11  MAC  protocol  by  an  intelligent  attacker.  Our  approach  encompasses  the  case  of  an 
intelligent  attacker  that  adapts  its  misbehavior  strategy  with  the  objective  to  remain  undetected  as  long 
as  possible.  We  also  considered  colluding  attackers  against  the  MAC  protocol,  i.e.  attackers  that 
cooperate  in  order  to  defeat  or  take  unfair  advantage  of  the  MAC  protocol. 


Our  main  contribution  is  the  development,  implementation  and  perfonnance  evaluation  of  a  new 
algorithm  that  provides  a  detection  rule  of  optimum  performance  for  the  worst-case  attack  involving  an 
intelligent  attacker.  We  cast  the  problem  within  a  minimax  robust  detection  framework,  characterize 
the  worst-case  misbehavior  strategy,  showing  that  the  optimal  detection  rule  is  SPRT.  We  define  the 
worst-case  attack  as  the  attack  where  the  attacker  gains  access  to  the  channel  for  more  than  (50  +  c)% 
of  the  time  (where  £  is  a  system  parameter  and  can  be  adjusted)  ,  while  minimizing  the  probability  of 
detection.  At  the  same  time  we  optimize  the  performance  of  the  involved  IDS  by  setting  the  IDS 
threshold  at  the  optimal  level,  with  low  number  of  false  positives  and  missed  detection  rates.  The 
performance  is  measured  in  terms  of  required  number  of  observations  in  order  to  derive  a  decision. 
This  framework  captures  the  presence  of  uncertainty  in  IEEE  802.11  attacks  and  concentrates  on  the 
attacks  that  are  most  significant  in  terms  of  incurred  performance  losses.  We  did  not  consider  short¬ 
term  attacks  where  the  attacker  gains  only  small  advantage  and  does  not  impact  the  system 
significantly.  The  algorithm  refers  to  the  case  of  an  intelligent  attacker  that  can  adapt  its  policy  to 
avoid  detection.  We  also  considered  the  DoS  attacks  (naive  attacker)  as  the  extreme  case  of 
misbehavior.  Although  the  basic  model  does  not  include  interference,  we  showed  that  our  ideas  can  be 
extended  to  the  case  where  observations  are  hindered  by  interference  due  to  concurrent  transmissions, 
showing  that  the  performance  of  the  optimal  IDS  decreases  in  the  presence  of  interference.  We  also 
presented  a  general  framework  for  the  problem  of  notifying  the  rest  of  the  network  about  a 
misbehavior  event.  Our  work  provides  performance  bounds  for  both  the  attacker  and  the  IDS  and 
serves  as  a  prelude  to  future  studies  that  would  capture  more  composite  instances  of  the  problem. 

We  also  perfonned  extensive  review  of  the  literature  on  these  problems.  The  current  literature  offers 
two  major  approaches.  The  first  set  of  approaches  provides  solutions  based  on  modification  of  the 
current  MAC  layer  protocol  by  making  the  monitoring  stations  aware  of  the  backoff  values  of  its 
neighbors.  This  approach  assumes  existence  of  a  trustworthy  receiver  that  can  detect  misbehavior  of 
the  sender  and  penalize  it  by  assigning  him  higher  back-off  values  for  subsequent  transmissions.  A 
decision  about  protocol  deviation  is  reached  if  the  observed  number  of  idle  slots  of  the  sender  is 
smaller  than  a  pre-specified  fraction  of  the  allocated  back-off.  The  sender  is  labeled  as  misbehaving  if 
it  turns  out  to  deviate  continuously  based  on  a  cumulative  metric  over  a  sliding  window.  Prior  work 
attempted  to  prevent  scenarios  of  colluding  sender-receiver  pairs  using  a  similar  approach.  A  different 
line  of  thought  was  also  followed  where  misbehavior  detection  schemes  were  proposed  without 
making  any  changes  to  the  MAC  layer  protocol.  Other  authors  focused  on  multiple  misbehavior 
policies  in  the  wireless  environment  and  placed  emphasis  on  detection  of  backoff  misbehavior.  They 
proposed  a  sequence  of  conditions  on  available  observations  for  testing  the  extent  to  which  MAC 
protocol  parameters  have  been  manipulated.  The  proposed  scheme  does  not  address  the  scenarios  that 
include  intelligent  adaptive  cheaters  or  collaborating  misbehaving  nodes.  Other  authors  addressed  the 
detection  of  an  adaptive  intelligent  attacker  by  casting  the  problem  of  misbehavior  detection  within  the 
minimax  robust  detection  framework.  They  optimized  the  system’s  performance  for  the  worst-case 
instance  of  uncertainty  by  identifying  the  least  favorable  operating  point  of  a  system  and  derive  the 
strategy  that  optimizes  the  system’s  performance  when  operating  at  that  point.  System  performance 
was  measured  in  terms  of  number  of  required  observation  samples  to  derive  a  decision  (detection 
delay).  However,  DOMINO  and  SPRT  were  presented  independently,  without  direct  comparison  or 
performance  analysis.  Additionally,  both  approaches  evaluate  the  detection  scheme  performance  under 
unrealistic  conditions  for  continuous  monitoring,  such  as  probability  of  false  alarm  being  equal  to  0.01, 
which  in  our  simulations  results  in  roughly  700  false  alarms  per  minute  (in  saturation  conditions),  a 
rate  that  is  unacceptable  in  any  real-life  implementation.  Our  work  contributes  to  the  current  literature 
by:  (i)  deriving  a  new  pmf  for  the  worst  case  attack  using  an  SPRT-based  detection  scheme,  (ii) 
providing  new  performance  metrics  that  address  the  large  number  of  alanns  in  the  evaluation  of 
previous  proposals,  (iii)  providing  a  complete  analytical  model  of  DOMINO  in  order  to  obtain  a 


theoretical  comparison  to  SPRT-based  tests  and  (iv)  proposing  an  improvement  to  DOMINO  based  on 
the  CUSUM  test.  We  developed  a  minimax  robust  detection  model  and  derived  an  expression  for  the 
worst-case  attack  in  discrete  time.  We  provided  extensive  analysis  of  DOMINO,  and  developed  the 
theoretical  comparison  of  the  two  algorithms.  Motivated  by  the  main  idea  of  DOMINO,  we  offered  a 
simple  extension  to  the  algorithm  that  significantly  improves  its  performance.  We  performed 
extensive  experimental  perfonnance  comparisons  of  all  algorithms. 

We  also  considered  realistic  versions  of  the  problem,  whereby  several  colluding  attackers  collaborate 
while  many  legitimate  users  also  use  the  protocol.  We  showed  that  due  to  user  interference  inherent  in 
the  design  of  802. 11,  only  brute  force  attacks  achieve  optimal  performance  (from  the  perspective  of  the 
attacker).  Our  approach  was  again  based  on  a  min-max  game  theoretic  framework. 

We  also  considered  attacks  on  the  MAC  layer  from  a  cross-layer  perspective.  Namely,  we  investigated 
the  damage  and  effects,  attacks  at  the  MAC  layer  can  have  at  the  network  layer.  We  first  demonstrated 
that  attacks  at  the  MAC  layer,  can  be  incorrectly  perceived  as  attacks  at  the  network  layer  by  an 
incorrectly  designed  IDS;  namely  one  that  does  not  sense  at  both  the  MAC  and  network  layers.  We 
also  demonstrated  that  different  routing  protocols  react  differently  to  attacks  at  the  MAC  layer.  Indeed, 
certain  protocols  are  more  robust  to  the  effects  of  MAC  attacks.  As  specific  examples  we  investigated 
the  effect  of  MAC  attacks  on  the  AODV  and  DSR  MANET  routing  protocols.  Our  studies  indicate  that 
AODV  is  more  resilient  in  tenns  of  dropped  traffic  caused  by  an  attack  at  the  MAC  layer.  As  a  result 
of  these  investigations  we  developed  and  recommended  a  cross-layer  IDS  architecture  for  MANET. 
We  showed  that  this  cross-layer  architecture,  due  to  observations  at  both  the  MAC  and  network  layers, 
leads  to  significant  improvements  in  the  resiliency  and  security  of  MANET  protocols  and  operation. 

Although  we  have  focused  on  the  MAC  layer  protocol  802.11,  our  approach  is  general  and  can  serve 
as  a  guideline  for  the  design  of  any  probabilistic  distributed  MAC  protocol. 


On-Line  Detection  of  Routing  Attacks  in  MANETs 

Mobile  -wireless-  ad  hoc  networks  (MANETS)  are  particularly  vulnerable  to  attacks  on  their  routing 
protocols.  Unlike  fixed  networks,  the  routers  usually  do  not  reside  in  physically  protected  places  and 
can  fall  under  the  control  of  an  attacker  more  easily.  Such  an  attacker  can  then  send  incorrect  routing 
information.  Furthermore  messages  can  be  eaves  dropped  and  faked  messages  can  be  injected  into  the 
network  without  the  need  to  compromise  nodes.  General  attacks  are  misrouting,  false  message 
propagation,  packet  dropping,  packet  generation  with  faked  source  address,  corruption  on  packet 
contents  and  denial-of-service. 

One  of  the  attacks  exploiting  the  wireless  medium  is  the  wormhole  attack.  The  wormhole  attack  can  be 
devastating  to  a  routing  protocol.  We  developed  a  formulation  and  a  novel  approach  for  the  detection 
of  such  attacks.  Our  approach  builds  a  model  capturing  the  dynamics  of  a  highly  mobile  ad  hoc 
network.  The  basic  idea  is  that  an  attacker  will  change  the  routing  information  in  such  a  way  that  our 
perceived  mobility  of  the  nodes  will  differ  from  our  previous  experience.  We  want  to  learn  the 
allowable  state  transitions  (which  depend  in  our  sampling  interval.)  We  performed  various  simulation 
experiments  which  validated  this  promise.  We  used  as  the  observation  variable  the  hop  count 
distribution  at  a  given  node.  For  simplicity  we  assumed  a  proactive  distance  vector  routing  protocol 
such  as  DSDV  in  order  to  have  all  hop  counts  at  any  time.  In  the  change  detection  setup  we  used  a 
CUSUM  procedure  applicable  to  the  case  of  dependent  observations. 


We  performed  analytical  and  simulation  evaluations  of  the  perfonnance  of  the  new  algorithm. 
Although  the  attacks  introduced  by  very  different  and  easy  means,  the  principle  of  detecting  an 
unknown  attack  to  the  routing  protocol  with  different  characteristics  was  demonstrated.  In  particular 
some  attacks  produced  a  change  in  the  variance  of  the  hop  count  distribution,  while  others  produced  a 
change  in  the  mean  of  the  hop  count  distribution.  Both  attacks  were  detected  by  simply  testing  the 
likelihood  of  our  learned  model. 


Software  Systems  for  Attack  Detection  and  Defense  in  MANET 

We  have  investigated  a  highly  extensible  intrusion  detection  system  to  determine  its  utility  in  solving 
problems  of  identifying  previously  unidentified  attacks,  with  special  interest  in  its  application  in 
wireless  ad  hoc  networks.  The  STAT  system  (developed  by  Richard  Kemmerer  and  his  group  at  the 
University  of  California  Santa  Barbara)  is  a  state-based  detection  system:  each  attack  is  mapped  into  a 
set  of  states  called  an  attack  scenario.  Certain  behaviors  trigger  transitions  between  states  -  these 
transitions  represent  either  the  progression  of  a  possible  attack  or  the  recognition  and  quelling  of  a 
false  alarm.  When  a  series  of  behaviors  cause  the  final  state  to  be  reached,  an  attack  is  said  to  have 
occurred.  The  power  of  this  approach  lies  in  the  identification  of  only  the  essential  elements  of  attacks 
-  hence  if  the  goals  of  the  attackers  are  known,  it  should  be  possible  to  construct  attack  scenarios 
abstract  enough  to  capture  new  methods  of  attaining  those  same  goals. 

We  extended  STAT  and  STATL,  and  implemented  several  and  tested  several  of  our  intrusion  detection 
algorithms  in  STAT:  buffer  overflow,  timing  disruption,  sequence  falsification,  wormhole,  routing 
misbehavior  and  others.  We  set  up  a  wireless  testbed  and  analyzed  extensively  feasibility  and 
performance  of  STAT  in  wireless  ad  hoc  networks  by  identifying  energy  requirements  and  adaptability 
to  a  dynamic  attack  environment.  The  new  implementations  are  described  below. 

bufSTAT  -  a  tool  for  early  detection  and  classification  of  buffer  overflow  attacks 

Buffer  overflow  attacks  constitute  by  far  the  most  frequently  encountered  class  of  attacks,  since 
they  can  be  considered  to  be  a  direct  consequence  of  denial  of  service  (DoS)  attacks.  As  a 
result,  the  reliable  and  timely  detection  of  DoS  attacks  is  inherently  related  to  the  design  of 
appropriate  buffer  overflow  attack  detection  systems.  In  that  respect,  the  prerequisites  for 
designing  an  efficient  buffer  overflow  attack  detection  system  are:  (i)  guaranteeing  low 
probability  of  false  alann  for  both  the  detection  and  classification  segments  of  the  system,  (ii) 
requiring  low  processing  time,  namely  time  needed  for  detection  and  classification  of  data.  We 
designed,  developed  and  tested  a  tool,  termed  bufSTAT  that  achieves  precisely  these  two  goals. 
BufSTAT  relies  on  Finite  State  Machine  (FSM)  for  attack  modeling.  Its  basic  characteristic  is 
high  detection  and  classification  rate,  due  to  its  search  mode,  which  focuses  on  identification  of 
specific  single  events.  BufSTAT  can  detect  every  stage  of  an  ongoing  attack  and  can  thus 
prevent  its  execution  by  issuing  early  warnings  in  a  progressive  manner.  It  can  also  detect 
sophisticated  multi-stage  attacks  that  are  executed  over  long  periods  of  time.  Our  tool  is  shown 
to  outperfonn  Hidden  Markov  Model  (HMM)  based  methods  in  terms  of  the  aforementioned 
performance  metrics  for  known  attacks.  A  significant  attribute  of  our  approach  is  that  it  is 
amenable  to  detecting  unknown  attacks  as  well  after  appropriate  modification  of  bufSTAT. 

modSTAT:  A  detection  tool  for  AODV  insider  attacks 

Misbehavior  within  Mobile  Ad  hoc  Networks  is  a  growing  area  of  concern,  especially  as  their 
popularity  in  real-world  applications  increases.  We  investigated  several  attacks  that  affect 
AODV  networks  in  a  simple  yet  effective  way.  Though  security  solutions  based  on  public  key 


encryption  exist  for  securing  AODV  networks,  such  methods  often  require  nontrivial 
computations  and  incur  network  overhead  due  to  the  inclusion  of  keys  and  signatures  on  each 
packet.  With  the  energy  limitations  of  mobile  nodes  in  mind,  we  developed  and  implemented 
intrusion  detection  algorithms  that  have  been  shown  on  a  real-world  test  bed  to  be 
computationally  lightweight  while  maintaining  high  detection  rates  and  very  low  false  alann 
rates. 

MACSTAT:  A  STAT  based  sensor  for  MAC  layer  misbehavior 

MACSTAT  is  a  new  STAT  based  sensor  that  will  be  used  to  detect  Medium  Access  Control 
(MAC)  misbehavior.  MACSTAT  can  be  installed  on  the  access  point  or  individual  nodes  on 
the  network.  STAT  does  not  yet  have  a  MAC  layer  module,  thus  in  order  to  write  scenarios, 
attack  description,  for  MAC  layer  attacks,  we  developed  a  MACSTAT  provider  and  extension 
for  control  and  management  packets.  We  also  wrote  some  simple  attack  scenarios  that  detect 
protocol  misbehavior.  To  list  a  few,  we  wrote  some  scenarios  for  detecting  false  advertisement 
of  the  duration  of  the  transmission,  detection  of  the  minimum  waiting  time  before  transmission, 
detection  of  excessive  retransmission  by  certain  nodes  caused  by  intentional  scrambling  of 
control  packets  by  a  malicious  node.  Due  the  nature  of  the  physical  medium  and  dynamic  of  its 
state,  counters  play  an  important  role  in  the  detection  mechanism  in  order  to  reduce  false 
positives  and  may  be  adjusted  according  to  the  wireless  environment.  More  sophisticated 
statistic  based  detection  schemes  are  being  developed  in  order  to  detect  selfish  behavior. 
AODVSTAT  can  also  benefit  from  MACSTAT  in  detecting  across  layer  attacks  and  localizing 
the  source  of  routing  attacks. 


Thrust  2: 

Assurance  Via  Distributed  Physical  Layer  Signal  Processing  and  Routing 

In  this  thrust  we  are  investigating  the  following  topics: 

•  Advanced  signal  processing  for  channel  and  communication  assurance  and  authentication 

•  Wireless  multimedia  security,  authentication,  and  dynamic  key  management 

•  Use  of  covert  channels 

•  Simultaneous  selection  of  access  control  and  routing 

We  provide  below  descriptions  of  the  problems,  approach  undertaken,  methodology  developed  and 
used  and  results  obtained  in  each  project  and  effort  undertaken  during  this  research  project’s  reporting 
period. 


Physical  Layer  Secrecy  over  Wireless  Channels  via  Chaotic  CDMA 

Our  main  objective  has  been  to  design  chaotic  CDMA  systems  that  provide  uncoded  Pr(e)  advantages 
to  intended  users  in  the  context  of  multiuser  communication  over  fading  channels.  The  systems  we 
have  considered  and  optimized  exploit  linear  modulation  of  a  digital  information-bearing  signal  on  a 
chaotic  sequence,  i.e.,  a  sequence  generated  by  iterating  an  initial  condition  through  a  chaotic  mapping. 
The  Pr(e)  advantages  offered  to  intended  users  are  achieved  by  providing  side  information  to  these 
users  in  the  form  of  the  initial  condition.  These  systems  are  attractive  alternatives  to  conventional 
CDMA  systems,  i.e.,  systems  that  exploit  modulation  on  binary-valued  pseudonoise  (PN)  spreading 
sequences  generated  by  feedback  shift-register  structures.  Indeed,  chaotic  CDMA  systems  can  provide 
additional  Pr(e)  performance  advantages  to  intended  users  by  exploiting  the  inherent  sensitivity  to 


initial  conditions  of  chaotic  systems,  with  minimal  increase  in  transmitter  and  intended  receiver 
complexity  and  without  the  need  for  additional  side  infonnation  with  respect  to  what  is  required  by 
conventional  CDMA  systems. 

We  have  designed  tools  for  characterizing  the  differences  in  attainable  perfonnance  between  intended 
and  unintended  users  in  single-user  settings  (corresponding  to  only  one  transmitting  user),  as  a 
function  of  processing  gain  and  SNR  for  a  large  class  of  PC  maps.  In  particular,  we  have  detennined 
the  performance  characteristics  of  DS/SS  schemes  with  signatures  generated  by  various  families  of 
chaotic  piecewise-linear  maps,  in  the  context  of  signaling  over  AWGN  and  frequency  nonselective 
fading  channels  and  have  recently  started  exploring  the  multiuser  setting.  As  our  investigative  efforts 
have  revealed,  even  in  the  single-user  setting,  these  systems  can  be  designed  to  provide  secrecy 
benefits  to  intended  receivers  in  the  form  of  uncoded  Pr(e)  performance  advantages.  In  particular, 
chaotic  spreading  can  provide  substantial  improvement  in  tenns  of  the  Pr(e)  advantages  offered  to 
intended  users  with  respect  to  conventional  DS/SS  systems  that  make  the  PN  sequence  seed  available 
only  to  intended  receivers. 

We  developed  optimized  digital  implementations  of  the  underlying  chaotic  DS/SS  as  well  as 
quantifying  the  extent  to  which  these  implementations  preserve  the  important  properties  of  the 
underlying  chaotic  DS/SS  of  interest.  We  have  shown  that  by  properly  choosing  the  precision  depth  in 
the  implementation,  the  pseudochaotic  DS/SS  systems  we  developed  can  achieve  the  performance 
characteristics  of  the  underlying  chaotic  DS/SS  over  an  arbitrarily  wide  (yet  finite)  range  of  channel 
SNR  values.  As  a  result  we  were  able  to  show  that  16-bit  precision  depths  suffice  to  provide 
effectively  private  communication  over  a  very  wide  SNR  range  (that  includes  the  SNR  range  of 
practical  settings)  even  for  processing  gains  well  below  those  used  in  practical  systems.  We  also 
considered  the  privacy  provided  by  chaotic  DS/CDMA,  i.e.,  the  multiuser  extensions  of  DS/SS 
systems. 


Distributed  Coding-Based  Protocols  for  Private  Computation  with  Intrusion  Detection  over  Wireless 
Channels 

We  designed  distributed  algorithms  for  networks  of  nodes/sensors  that  wish  to  compute  functions  of 
their  data  with  privacy,  while  maintaining  the  ability  to  detect  intrusions  with  high  probability.  In 
particular,  we  considered  multinode  settings,  whereby  the  nodes  wish  to  effectively  use  resources,  such 
as  bandwidth  and  transmit  and  processing  power,  to  compute  a  function  of  their  individual  data  over  a 
common  wireless  channel  -  making  the  desired  function  output,  in  the  process,  available  to  an 
arbitrary  subset  of  the  participating  nodes  -  while  achieving  the  following  objectives: 

(i)  no  additional  information  is  revealed  by  the  protocol  about  each  participant’s  individual  data, 
other  than  what  is  made  available  through  the  result  of  the  desired  computation; 

(ii)  intruders,  actively  participating  in  the  computation  in  an  effort  to  alter  its  end  result,  can  be 
detected  by  means  of  the  protocol  with  high  probability. 

We  focused  our  efforts  on  a  driving  example  involving  source  localization  (estimation  of  the  location 
of  a  target)  by  fusing  noisy  target  range  infonnation  available  at  spatially  dispersed  sensor  nodes.  In  a 
typical  setting,  each  sensor  node  may  possess  measurements  which  can  be  used  to  derive  such 
information  about  the  relative  range  between  the  target  and  that  particular  sensor.  In  this  area,  we  are 
leveraging  our  recent  findings  of  distributed  algorithms  that  can  be  used  to  compute  functions  of  the 
node  data  in  a  wireless  network  by  using  distributed  locally  constructed  fusion  rules  at  each  node. 


Key  Management  Schemes  for  Distributed  Sensor  Networks 


Distributed  sensor  networks  (DSN)  are  of  central  importance  to  military  operations.  Our  interest  in  this 
work  is  very  large  distributed  sensor  networks  using  inexpensive  sensors.  We  have  developed 
innovative  key  management  schemes  for  such  networks.  This  addresses  an  important  information 
assurance  problem  for  such  wireless  sensor  networks.  These  very  large  sensor  networks  have 
significant  differences  from  more  conventional  sensor  networks.  First,  in  scale,  we  are  interested  in 
size  of  10,000  nodes  as  opposed  to  100.  Second,  they  have  dynamic  topology.  Third,  due  to  the  method 
of  deployment,  like  deployment  by  scattering  no  prior  knowledge  of  sensor-node  location  can  be 
assumed.  Fourth  they  should  be  able  to  accommodate  incremental  addition  /  deletion  of  nodes  after 
deployment.  Fifth  and  most  significant,  they  face  hostile  environments  of  operation,  where  they  must 
operate  unattended,  and  are  subject  to  sensor  nodes  monitoring,  capture  and  manipulation.  Physical 
capture  and  tampering  by  adversary  is  possible,  which  requires  tamper-detection  technology,  disable 
sensor  and  erase  keys,  detection  of  data  inputs  alteration,  detection  of  input  manipulation  via  data 
correlation. 

From  the  perspective  of  key  management  these  constraints  imply  that  key  exchange/distribution  via 
third  party  is  not  possible:  unknown  network  topology,  intermittent  operations,  network  scale  and 
dynamics.  Key  pre-distribution  is  the  only  viable  solution  (to  date).  We  have  developed  and  analyzed  a 
new  scheme  based  on  a  probabilistic  key  sharing  approach.  Each  node  has  been  given  k  keys  from  a 
pool  of  P  keys.  If  two  nodes  share  a  common  key  then  a  link  exists  between  them.  These  secure  links 
provide  an  overlay  secure  network.  This  overlay  network  has  to  be  connected.  Our  new  basic  scheme 
consists  of  the  following  three  steps:  (1)  Key  pre-distribution;  (2)  Shared-key  discovery;  (3)Path-key 
establishment.  We  have  analyzed  this  scheme  and  developed  analytically  its  perfonnance  evaluation. 


Attacks  and  Defenses  Utilizing  Cross-Layer  Interactions  in  MANET 

Cross-layer  protocol  design  is  one  of  the  prevailing  methodologies  that  have  recently  been  adopted  in 
networking  research  and  leads  to  significant  performance  benefits.  We  assessed  the  perfonnance  of 
cross-layer  interaction  and  investigated  its  effects  with  regard  to  security  and  infonnation  assurance  of 
mobile  ad  hoc  wireless  networks.  Using  attacks  in  realistic  wireless  networks  as  a  prototype,  we  found 
that  natural  cross-layer  interactions  between  physical,  MAC  and  network  layer  protocols  in  MANET 
can  turn  out  to  be  a  weak  point,  causing  various  attacks  and  intrusions.  However,  by  allowing  a 
controlled  synergy  between  the  affected  layers,  we  facilitate  timely  detection  of  such  attacks  that  are 
otherwise  difficult  to  detect  and  may  have  devastating  effects  on  network  functionality  and  operation. 

We  demonstrated  that  natural  interactions  between  physical  layer  and  MAC,  as  well  as  MAC  and 
routing  protocols  in  MANET  can  lead  to  a  variety  of  attacks  and  intrusions.  We  showed  that  without 
purposeful  collaboration  between  the  layers  affected  by  such  attacks,  they  are  very  difficult  to  detect 
while  at  the  same  time  can  have  catastrophic  effects  on  the  MANET  functionality  and  operation.  To 
illustrate  the  impact  of  MAC  layer  attacks  we  first  described  the  effects  of  a  dishonest  user  in  the  MAC 
layer  to  the  perfonnance  of  the  network  and  later  we  concentrated  on  malicious  users.  For  the  majority 
of  the  work  we  focused  on  attacks  involving  interactions  between  the  MAC  and  routing  protocols  and 
described  detection  and  defense  mechanisms  we  have  developed  for  such  attacks.  We  described 
several  DoS  attacks  in  realistic  MANET  that  explicitly  exploit  cross-layer  interactions.  We  used  the 
realistic  scenario,  where  each  node  initially  employs  legal  communication  patterns  that  prevent  other 
nodes  from  communicating  and  after  some  time  they  start  misbehaving  in  order  to  maintain  priority  in 
the  network. 


We  used  IEEE  802.1 1  MAC  layer  and  by  using  several  different  scenarios  we  showed  that  attacks  that 
originate  in  the  MAC  layer  easily  propagate  to  the  routing  layer  causing  breaking  of  existing  routes. 
We  also  showed  that  attack  propagation  can  cause  not  only  breaking  of  selected  routes,  but  can  also  be 
used  to  include  the  attackers  in  the  new  routes.  We  showed  that  the  attack  with  colluding  attackers  is 
more  powerful  than  the  attacks  using  only  single  attacker  or  multiple  non-colluding  attackers.  We 
proved  using  a  game -theoretic  approach  that  the  scenario  in  which  each  attacker  attempts  to  maximize 
his  own  gain  results  in  minimal  gain  for  each  of  the  attackers. 


Communication-Friendly  Encryption  of  Multimedia 

We  investigated  means  of  protecting  the  confidentiality  and  achieving  access  control  of  multimedia 
information,  which  is  one  of  the  crucial  security  elements  for  many  applications.  More  specifically  we 
researched  efficient  and  effective  encryption  of  multimedia  with  a  focus  on  communication  and 
compression  issues.  We  identified  a  set  of  domains  along  the  representation  and  communication 
process  of  multimedia  where  encryption  can  be  applied,  and  proposed  three  encryption  operations 
through  elegant  combinations  of  multimedia  signal  processing  and  contemporary  cryptography. 

By  moving  the  encryption  domain  from  the  bit  stream  to  upper  levels  and  therefore  preserving 
standard  compliance,  more  sophisticated  intennediate  processing  can  be  applied  directly  on  the 
encrypted  data.  Under  such  a  framework,  we  proposed  an  encryption  tool  via  a  generalized  index 
mapping,  which  can  be  applied  to  any  scalar  or  vector  symbols  with  a  finite  value  range.  The 
compression  overhead  of  this  scheme  can  be  adjusted  and  confined  to  a  moderate  amount.  The  three 
fundamental  schemes  we  developed  can  be  used  as  building  blocks  and  combined  to  fonn  an 
encryption  system  for  multimedia  data.  Our  designs  of  these  proposed  encryption  operations  take  into 
consideration  the  inherent  structure  and  the  underlying  syntax  of  multimedia  sources  to  achieve 
improved  friendliness  to  communications,  compression,  and  computation. 


Key  and  Node  Revocation  in  Distributed  Sensor  Networks 

Sensor  network  security  poses  a  unique  challenge  due  to  the  large  numbers  of  sensor  nodes  involved 
and  the  limitations  of  sensor  node  hardware.  A  variety  of  techniques  to  bootstrap  security  in  sensor 
networks  have  been  developed  using  key  pre-distribution  techniques  based  on  our  original  scheme. 
However,  the  problem  of  key  and  node  revocation  in  sensor  networks  has  received  relatively  little 
attention.  Distributed  revocation  protocols  pose  new  design  challenges  since  these  protocols  need  to 
account  for  the  presence  of  active  adversaries  pretending  to  be  legitimate  protocol  participants  via 
compromised  sensor  nodes.  Revocation  protocols  that  function  correctly  in  such  environments  are 
essential  to  secure  sensor  network  operation.  In  the  absence  of  such  protocols,  an  adversary  could 
effectively  take  control  of  the  sensor  network's  operation  by  using  compromised  nodes  which  retain 
their  network  connectivity  for  extended  periods  of  time.  In  our  research,  we  defined  a  set  of  basic 
properties  that  distributed  sensor-node  revocation  protocols  must  satisfy,  and  presented  a  protocol  for 
distributed  node  revocation  that  satisfies  these  properties  under  general  assumptions  and  a  standard 
attacker  model. 

The  low-cost,  off-the-shelf  hardware  components  in  unshielded  sensor-network  nodes  leave  them 
vulnerable  to  compromise.  With  little  effort,  an  adversary  may  capture  nodes,  analyze  and  replicate 
them,  and  surreptitiously  insert  these  replicas  at  strategic  locations  within  the  network.  Such  attacks 


may  have  severe  consequences;  they  may  allow  the  adversary  to  corrupt  network  data  or  even 
disconnect  significant  parts  of  the  network.  Previous  node  replication  detection  schemes  depend 
primarily  on  centralized  mechanisms  with  single  points  of  failure,  or  on  neighborhood  voting  protocols 
that  fail  to  detect  distributed  replications.  To  address  these  fundamental  limitations,  we  proposed  two 
new  algorithms  based  on  emergent  properties,  i.e.,  properties  that  arise  only  through  the  collective 
action  of  multiple  nodes.  Randomized  Multicast  distributes  node  location  infonnation  to  randomly- 
selected  witnesses,  exploiting  the  birthday  paradox  to  detect  replicated  nodes,  while  Line-Selected 
Multicast  uses  the  topology  of  the  network  to  detect  replication.  Both  algorithms  provide  globally- 
aware,  distributed  node -replica  detection,  and  Line-Selected  Multicast  displays  particularly  strong 
performance  characteristics.  We  believe  that  emergent  algorithms  represent  a  promising  new  approach 
to  sensor  network  security;  moreover,  our  results  naturally  extend  to  other  classes  of  networks  in  which 
nodes  can  be  captured,  replicated  and  re-inserted  by  an  adversary. 


Key  Management  Schemes  for  Distributed  Sensor  Networks 

Distributed  sensor  networks  (DSN)  are  of  central  importance  to  military  operations.  Our  interest  in  this 
work  is  very  large  distributed  sensor  networks  using  inexpensive  sensors.  We  have  developed 
innovative  key  management  schemes  for  such  networks.  This  addresses  an  important  information 
assurance  problem  for  such  wireless  sensor  networks.  These  very  large  sensor  networks  have 
significant  differences  from  more  conventional  sensor  networks.  First,  in  scale,  we  are  interested  in 
size  of  10,000  nodes  as  opposed  to  100.  Second,  they  have  dynamic  topology.  Third,  due  to  the  method 
of  deployment,  like  deployment  by  scattering  no  prior  knowledge  of  sensor-node  location  can  be 
assumed.  Fourth  they  should  be  able  to  accommodate  incremental  addition  /  deletion  of  nodes  after 
deployment.  Fifth  and  most  significant,  they  face  hostile  environments  of  operation,  where  they  must 
operate  unattended,  and  are  subject  to  sensor  nodes  monitoring,  capture  and  manipulation.  Physical 
capture  and  tampering  by  adversary  is  possible,  which  requires  tamper-detection  technology,  disable 
sensor  and  erase  keys,  detection  of  data  inputs  alteration,  detection  of  input  manipulation  via  data 
correlation. 

From  the  perspective  of  key  management  these  constraints  imply  that  key  exchange/distribution  via 
third  party  is  not  possible:  unknown  network  topology,  intermittent  operations,  network  scale  and 
dynamics.  Key  pre-distribution  is  the  only  viable  solution  (to  date).  We  have  developed  and  analyzed  a 
new  scheme  based  on  a  probabilistic  key  sharing  approach.  Each  node  has  been  given  k  keys  from  a 
pool  of  P  keys.  If  two  nodes  share  a  common  key  then  a  link  exists  between  them.  These  secure  links 
provide  an  overlay  secure  network.  This  overlay  network  has  to  be  connected.  Our  new  basic  scheme 
consists  of  the  following  three  steps:  (1)  Key  pre-distribution;  (2)  Shared-key  discovery;  (3)Path-key 
establishment.  We  have  analyzed  this  scheme  and  developed  analytically  its  perfonnance  evaluation. 


Secure  Localization,  Synchronization  and  Protocols  for  Wireless  Sensor  Networks 

Our  research  focused  on  various  aspects  of  wireless  sensor  networks  and  how  to  make  these  networks 
robust  and  secure  for  deployment  in  highly  adversarial  or  extreme  environments  like  military 
battlefields,  space  environments,  etc.  Since  these  environments  require  a  high  degree  of  assurance,  and 
malfunctioning  or  captured  nodes  cannot  be  easily  replaced,  these  missions  require  systems  designed 
to  withstand  high  levels  of  destruction  and  capture.  We  worked  on  a  robust  positioning  algorithm  that 
can  determine  the  location  of  moving  objects  and  sensors,  and  designed  a  system  that  is  highly  robust 
to  noise,  malicious  data,  resilient  to  a  large  degree  of  malfunction  and  hence  provides  a  great  degree  of 


assurance,  reliability  and  increases  mission  life.  This  system  does  not  require  trust  relationships  to  exist 
among  the  sensor  nodes  in  order  to  function  accurately  and  hence  is  very  practical  for  random 
deployment  scenarios. 


State-of-the-art  lightweight  cryptographic  techniques  have  been  researched  and  employed  to  provide  a 
high  level  of  security  to  the  systems  designed  without  much  additional  energy  consumption. 


Secure  and  accurate  time  synchronization  is  another  important  requirement  for  a  highly  distributed 
system  like  a  wireless  sensor  network,  where  all  measurements  are  recorded,  processed  and  analyzed 
in  a  time-sensitive  context.  Thus,  we  need  to  preserve  the  integrity  of  the  time  synch  mechanism  used 
in  these  networks.  Subsequently,  we  worked  on  lightweight  secure  time  synchronization  scheme  that 
relies  only  a  single  external  reliable  source  and  can  synchronize  accurately  even  in  the  presence  of 
malicious  or  captured  sensors. 


We  collaborated  with  Fujitsu  Laboratories  of  America  in  a  joint  venture  to  work  on  a  proposal  for  the 
IEEE  802.11  ESS  Mesh  Network  Standard.  Our  main  contribution  towards  a  reliable  and  efficient 
security  mechanism  for  the  mesh  network  was  well  appreciated  and  leveraged  by  the  joint  standards 
committee.  We  have  been  invited  to  participate  in  directly  shaping  the  security  mechanism  of  the  mesh 
standard  in  the  forthcoming  months. 


We  worked  with  Fujitsu  Labs  of  America  on  providing  enterprise  level  security  using  special 
Collaborative  Ubiquitous  Security  (CUS)  switches  that  can  filter  traffic  based  on  user  identity  and  role 
and  end-device  privileges  as  well  as  access  control  measures  based  on  the  service  requested.  This  has 
proven  to  provide  a  greater  level  of  privacy  and  security  to  sensitive  components  of  corporate  networks 
than  conventional  access  control  methods.  It  also  provides  non-repudiation  of  transactions  and  virtual 
private  masking. 


We  analyzed  the  security  mechanism  of  Fujitsu  Labs  of  America’s  leading  research  prototype-  the 
Wireless  Wallet,  which  is  a  mobile  phone  based  secure  payment  system.  We  found  security  flaws  and 
vulnerabilities  in  the  protocol  as  well  as  the  infrastructure  employed.  The  findings  were  published  in  an 
internal  technical  report,  and  the  new  improved  version  of  the  Wireless  Wallet  will  be  published 
shortly. 


Secure  Cooperative  Ad  Hoc  Networks  Against  Insider  Attackers 

In  cooperative  ad  hoc  networks  where  nodes  belong  to  the  same  authority  and  pursue  the  common  goal 
(which  is  the  case  for  most  military  and  emergency  applications),  nodes  usually  will  unconditionally 
help  each  other.  Once  some  nodes  have  been  compromised  or  hijacked,  they  can  cause  very  severe 
damage  to  the  whole  network.  We  have  studied  the  possible  attacks  that  can  be  launched  by  insider 
attackers  as  well  as  the  damage  that  can  be  caused  by  them,  designed  efficient  mechanisms  to  keep 
track  of  possible  malicious  behaviors,  and  proposed  an  effective  defense  system  to  handle  insider 
attacks.  Furthermore,  the  security  issues  in  cooperative  ad  hoc  networks  have  been  studies  under  a 
game  theoretic  framework,  and  optimal  routing  and  packet  forwarding  strategies  have  been  proposed. 


A  related  topic  of  interest  is  security  and  cooperation-stimulation  in  autonomous  ad  hoc  networks. 
Although  most  of  the  existing  ad  hoc  networks  are  designed  for  military  or  emergency  situations,  their 
usage  in  civilian  applications  will  become  more  and  more  popular.  In  civilian  applications,  nodes  in  an 
ad  hoc  networks  usually  belong  to  different  authorities  and  different  goals,  and  tend  to  be  selfish. 
Further,  some  nodes  may  be  malicious  whose  objective  is  to  cause  damage  to  the  network.  We  refer  to 
such  ad  hoc  networks  as  autonomous  ad  hoc  networks.  Before  autonomous  ad  hoc  networks  can  be 
successfully  deployed,  the  following  two  important  issues  must  be  resolved  first:  cooperation 
stimulation  and  security.  These  issues  were  studied  in  the  research  effort  described  in  this  report.  First, 
we  have  designed  an  efficient  system  to  simultaneously  stimulate  cooperation  among  selfish  nodes  and 
defend  against  attacks,  which  is  fully  distributed  and  does  not  require  any  tamper-proof  hardware  or 
central  management  points.  More  importantly,  we  have  analyzed  the  possible  cooperation  (packet 
forwarding)  strategies  in  autonomous  ad  hoc  networks  under  different  optimality  criteria  in  a  game 
theoretic  framework,  fully  exploited  the  nodes’  selfish  nature  and  the  possible  cheating  and  malicious 
behaviors,  and  designed  optimal  strategies  which  are  Nash  equilibrium,  strongly  Pareto,  cheat-proof, 
and  can  achieve  fairness  among  selfish  nodes. 


Trust  Modeling  and  Evaluation  in  Ad  Hoc  and  Sensor  Networks 

To  enhance  security  in  ad  hoc  networks,  one  strategy  is  to  develop  mechanisms  that  allow  a  node  to 
evaluate  trustworthiness  of  other  nodes.  We  have  developed  an  information  theoretic  framework  of 
trust  modeling  and  evaluation,  in  which  trust  is  a  measure  of  uncertainty  and  can  be  measured  by 
entropy.  From  this  understanding  of  trust,  we  develop  axioms  that  address  the  basic  rules  for 
establishing  trust  through  a  third  party  and  through  recommendations  from  multiple  sources.  Further, 
the  possible  attacks  against  trust  evaluation  are  identified  and  defense  techniques  are  developed  and  the 
performance  of  the  proposed  trust  model  under  various  attacks  is  measured.  The  proposed  theoretical 
models  are  then  applied  to  improve  the  performance  of  ad  hoc  routing  schemes  and  to  perform 
malicious  node  detection. 


Optimizing  Rekeying  Cost  for  Contributory  Group  Key  Agreement  Schemes 

While  contributory  group  key  agreement  is  a  promising  solution  to  achieve  access  control  in 
collaborative  and  dynamic  group  applications,  the  existing  schemes  have  not  achieved  the  perfonnance 
lower  bound  in  tenns  of  time,  communication  and  computation  cost.  We  have  proposed  a  contributory 
group  key  agreement  that  achieves  the  perfonnance  lower  bound  by  utilizing  a  novel  logical  key  tree 
structure,  called  PFMH,  and  the  concept  of  phantom  user  position.  In  particular,  the  proposed  scheme 
only  needs  0(1)  rounds  of  two-party  DH  upon  any  single  user  join  event  and  0(log  n)  rounds  of  two- 
party  DH  upon  any  single  user  leave  event.  Both  theoretical  bound  analysis  and  simulation  show  that 
the  proposed  scheme  achieves  lower  rekeying  cost  than  the  existing  tree-based  contributory  group  key 
agreement  schemes. 


Topology-Aware  Key  Management  Schemes  for  Wireless  Multicast 

Technological  advancements  have  created  the  potential  for  many  new  applications  that  will  allow  users 
to  simultaneously  share  content  and  collaborate.  The  most  relevant  enabling  network  technology  for 
group  communication  is  multicast.  The  problem  of  access  control  has  received  extensive  attention  in 


the  recent  literature  and  many  solutions  for  the  generic  problem  have  been  proposed.  However,  the 
traditional  literature  does  not  address  network-specific  issues. 


In  tree-based  multicast  key  management  schemes,  most  rekeying  messages  are  only  useful  to  a  subset 
of  users,  who  are  always  neighbors  on  the  key  management  tree.  This  observation  motivates  us  to 
design  a  key  tree  that  matches  the  network  topology  in  such  a  way  that  the  neighbors  on  the  key  tree 
correspond  to  the  topology  of  the  wireless  LAN,  which  consists  of  mobile  users  and  access  points.  This 
key  tree  design  proceeds  in  two  steps: 

Step  1:  Design  a  subtree  for  the  users  connecting  to  each  access  point  (AP).  These  subtrees  are 
called  user  subtrees. 

Step  2:  Design  a  subtree  which  governs  the  key  hierarchy  between  the  APs  and  the  key  distribution 
center  (KDC).  This  subtree  shall  be  called  the  AP  subtree. 

By  delivering  the  rekeying  messages  only  to  the  users  who  need  them,  we  may  take  advantage  of  the 
fact  that  the  key  tree  matches  the  network  topology,  and  localize  the  delivery  of  rekeying  messages  to 
small  regions  of  the  network. 


Secure  and  Cost-Efficient  Contributory  Group  Key  Agreement  Protocols 

In  contributory  key  agreements,  every  group  member  makes  its  own  contribution  independently  when 
establishing  group  keys,  and  each  member’s  personal  key  is  not  disclosed  to  any  other  entities. 
Compared  with  centralized  key  management  schemes,  the  contributory  key  agreement  schemes  also 
have  the  advantages  that  they  do  not  rely  on  centralized  servers  and  secure  communication  channels.  In 
our  research  we  investigated  methods  for  reducing  the  cost  associated  to  key  updates  in  contributory 
group  key  agreement  protocols.  We  developed  TCGK,  a  suite  of  cost-efficient  Tree-based 
Contributory  Group  Key  agreement  protocols  for  secure  group  communication  with  dynamic 
membership  changes.  We  designed  a  novel  logical  key  tree  structure,  based  on  which  the  rekeying  cost 
per  user  join  or  leave  event  can  be  dramatically  reduced.  To  our  best  knowledge,  TCGK  has  the  lowest 
cost  among  the  existing  tree-based  contributory  key  agreement  schemes,  and  achieves  better 
scalability.  The  simulation  results  have  also  confirmed  the  superiority  of  TCGK  to  the  existing 
schemes  in  term  of  cost  savings. 

In  secure  group  communications,  the  time  cost  associated  with  key  updates  for  member  join  and 
departure  is  an  important  aspect  of  quality  of  service,  especially  in  large  groups  with  dynamic 
membership.  In  time-sensitive  applications,  a  timely  key  update  during  member  join  or  departure 
assures  that  secure  group  communications  can  be  established  in  a  timely  manner.  We  developed  a  new 
scheme  called  Join-Exit  Tree  (JET)  Group  Key  Agreement.  Our  analytical  results  show  that  our 
proposed  scheme  achieves  an  average  asymptotic  time  of  0(log  (log  nj)  for  a  join  event,  and  also 
0(log  (log  n))  for  a  departure  event  when  group  dynamics  are  known  a  priori.  We  have  extensively 
studied  the  performance  of  our  scheme  under  different  user  activity  scenarios,  including  sequential 
user  join,  the  MB  one  (Multicast  Backbone)  multicast  session  data,  and  a  probabilistic  user  behavior 
model.  In  all  these  scenarios,  our  proposed  scheme  has  outperformed  the  existing  schemes  in  terms  of 
rekeying  time  complexity.  In  addition  to  the  improved  time  efficiency,  our  scheme  also  has  low 
communication  and  computation  complexity. 


Attacks  and  Protection  of  Dynamic  Membership  Information  in  Secure  Group  Communications 


In  secure  group  communications,  key  management  is  employed  to  prevent  unauthorized  access  to 
multicast  content.  We  discovered  that  the  rekeying  process  associated  with  multicast  key  management 
can  disclose  information  about  the  dynamics  of  the  group  membership  to  both  insiders  and  outsiders. 
We  collectively  refer  to  group  dynamics  information  (GDI)  as  the  number  of  users  in  the  multicast 
group  as  a  function  of  time,  and  the  number  of  users  who  join  or  leave  the  service  during  a  time 
interval.  The  leakage  of  GDI  from  the  rekeying  process  can  lead  to  serious  security  and  privacy 
problems.  For  centralized  key  management  schemes,  we  have  developed  two  effective  strategies  to 
steal  the  GDI.  These  strategies  involve: 

(1)  obtaining  membership  dynamics  from  the  format  of  rekeying  messages; 

(2)  estimating  the  number  of  users,  N(t),  from  the  size  of  rekeying  messages. 

Many  popular  centralized  key  management  schemes  are  vulnerable  to  these  attacks.  Our  simulations 
show  that  these  passive-attack  strategies  result  in  accurate  estimation  of  the  GDI. 

To  protect  the  GDI,  we  developed  an  anti-attack  technique  utilizing  batch  rekeying  and  phantom  users. 
The  combined  effects  of  the  phantom  users  and  the  real  users  lead  to  a  new  rekeying  process,  called 
the  observed  rekeying  process,  which  would  be  monitored  by  the  attackers.  The  goal  is  to  produce  an 
observed  rekeying  process  that  reveals  the  least  amount  of  information  about  the  real  GDI.  We  derived 
performance  criteria  that  describe  the  security  level  of  the  proposed  scheme  using  mutual  information. 
The  proposed  anti-attack  scheme  is  evaluated  based  on  the  data  obtained  from  real  MBone  sessions. 
We  also  developed  the  analysis  of  the  vulnerability  of  various  contributory  key  management  schemes 
and  investigated  techniques  that  can  be  used  to  protect  dynamic  group  membership  information  in 
distributed  environments. 


Joint  Optimization  of  Sensing  Coverage  and  Secure  Connectivity  in  Sensor  Networks 

Sensor  networks  have  a  great  potential  in  applications  such  as  habitat  monitoring,  wildlife  tracking, 
building  surveillance,  as  well  as  military  combat  fields.  Some  important  issues  regarding  sensor 
networks  are  the  sensing  coverage,  node-to-node  or  node-to-base-station  communications,  and  the 
security  in  information  gathering  and  relay  by  the  sensors.  In  our  effort  this  year,  we  showed  that  the 
system  performance  from  the  perspective  o  these  aspects  depends  closely  on  how  the  sensors  are 
deployed  in  the  field,  and  on  how  the  sensor  locations  can  be  adjusted  after  the  initial  deployment.  For 
static  sensor  deployment,  we  investigated  the  hexagon  and  square  lattice  topology  and  analyzed  their 
impact  on  secure  connectivity  and  sensing  coverage.  For  advanced  sensing  devices  that  allow  for 
location  adjustment  after  deployment,  we  have  established  a  new  framework  for  coordinated  updates 
of  sensor  locations.  We  proposed  two  new  sensor  location  updating  algorithms,  the  VFSec  and  the 
Weighted  Centroid  algorithm,  to  jointly  optimize  sensing  coverage  and  secure  connectivity.  Our 
simulation  results  show  that  these  new  algorithms  provide  superior  tradeoff  over  the  existing 
approaches  that  do  not  take  security  into  considerations. 


Secure  Localization  in  Wireless  Sensor  and  Ad  hoc  Networks 

We  have  investigated  the  problem  of  secure  location  verification  in  Wireless  Sensor  and  Ad  hoc 
Networks.  Location  information  is  essential  to  the  deployment  of  wireless  sensor  and  ad  hoc  Networks. 
It  is  not  only  needed  in  location-aware  application,  but  also  required  to  support  secure  network 
services,  such  as  secure  routing.  However,  the  localization  procedure  itself  may  be  under  attack. 


Current  solutions  either  depend  on  extra  expensive  hardware  or  are  vulnerable  under  insider  attack, 
where  compromised  nodes  can  report  false  positions.  Our  new  approach  is  to  take  advantage  of  the 
redundancy  in  the  underlying  properties  of  wireless  networks.  The  property  we  have  used  is  that 
neighboring  nodes  who  can  hear  each  other  are  also  close  to  each  other  location-wise.  Plus,  a  node 
depends  on  its  neighbors  to  relay  its  traffic.  So,  our  new  location  verification  scheme  requires 
neighboring  nodes  to  verify  the  sender’s  location  claim  before  forwarding  its  message.  A  location 
claim  is  considered  valid  by  the  receiver  if  the  distance  between  the  claimed  location  and  receiver’s 
location  is  less  than  the  node’s  maximum  transmission  range.  Our  new  approach  is  range  independent, 
which  does  not  require  extra  hardware.  It  involves  only  local  communication  and  computation.  It  is 
robust  under  both  outsider  and  insider  only  attacks.  Current  efforts  are  focused  on  evaluating  the 
effectiveness  of  this  scheme,  integrating  it  with  the  location  computation  schemes,  and  exploring  other 
properties  that  can  be  utilized  for  the  same  purpose. 

Covert  Channel  Attacks  on  MANET  Routing  and  MAC  Protocols 

We  have  demonstrated  the  possibility  of  Covert  Communication  imbedded  at  the  Network  Layer 
(through  Routing)  in  an  Ad  Hoc  wireless  Network.  We  have  evaluated  the  perfonnance  of  the  Covert 
Channel  when  the  routing  protocol  is  AODV;  we  have  shown  that  the  covert  channel  is  almost 
undetectable  and  is  capable  of  transmitting  infonnation  at  the  level  of  a  few  bits  per  second.  We  have 
shown  that  such  covert  communication  is  possible  for  any  reactive  routing  protocol.  In  addition  we 
have  developed  a  superior  and  totally  undetectable  covert  channel  that  can  be  implemented  at  the 
MAC  layer  superposed  on  a  standard  collision  resolution  protocol  and  have  evaluated  its  perfonnance 
as  well. 

We  have  also  investigated  Anonymous  Communication  in  Ad  Hoc  Networks  that  can  protect  local 
membership  information,  provide  robustness  against  DoS  Attacks,  and  assist  in  Intrusion  Detection.  In 
parallel  with  the  above,  we  have  launched  an  investigation  of  sensor  networks  that  are  deployed  for  the 
purpose  of  detection  of  targets  or  events.  We  have  studied  distributed,  centralized,  and  hybrid 
processing  schemes  and  evaluated  detection  perfonnance  as  well  as  energy  consumption  for  both  RF 
communication  and  processing.  We  have  also  evaluated  the  robustness  of  these  schemes  with  respect 
to  loss  of  nodes  and  measurements.  Also,  we  have  considered  the  possibility  of  sequential  detection 
and  the  exploitation  of  conelation  (spatial  and  temporal)  among  the  measurements.  In  addition  we 
formulated  the  routing  issue  and  we  have  developed  routing  link  metrics  that  capture  residual  battery 
levels  and  energy  consumption  as  well  as  the  effect  of  the  routing  tree  structure  on  detection 
performance.  We  are  exploring  several  extensions  of  the  basic  model  and  we  are  fonnulating 
alternative  variants  that  share  the  same  cross-layer  properties  as  our  basic  model. 

We  have  extended  the  investigation  of  Covert  Communication  in  Ad  Hoc  wireless  networks  to  the 
MAC  Layer.  We  have  demonstrated  implementation  of  covert  channels  utilizing  MAC  protocols  based 
on  splitting  algorithms.  We  have  developed  three  different  covert  transmission  strategies;  we  have 
evaluated  their  performance  under  different  variations  of  the  MAC  protocols,  we  have  shown  that 
when  the  conservative  transmission  strategy  is  used,  the  covert  channel  is  totally  undetectable,  and  that 
the  channel  is  able  to  transmit  information  at  the  level  of  0.3  bit  per  slot 


Vertical  Protocol  Integration  for  Enhanced  Security  in  Wireless  Sensor  Networks 


Making  upper-layer  protocol  choices  (MAC  and  routing)  contingent  on  QoS  at  the  physical  layer  can 
increase  network  robustness  against  threats  such  as  jamming,  denial  of  services,  etc.  In  our  past  work, 
we  have  argued  that  the  inherent  interdependencies  among  protocol  layers  dictate  the  joint  design 
across  multiple  layers.  We  have  focused  on  the  lower  three  layers  in  which  these  interactions  are 
strongest.  We  have  further  focused  on  the  resulting  benefits  from  such  integration  for  wireless  network 
security  and  infonnation  assurance.  This  integration  provides  flexibility  in  designing  protocols  and 
networks. 

The  central  thesis  of  our  work  is  that  flexible  networking  enhances  significantly  the  capabilities  of 
wireless  networks  to  withstand  threats.  We  investigated  the  use  of  flexible  MAC/routing  protocols  to 
enhance  security  of  wireless  sensor  networks  (or,  more  generally,  any  type  of  wireless  ad  hoc 
networks).  The  basic  premise  in  this  line  of  investigation  is  the  exploitation  of  the  separate  degrees  of 
freedom  that  MAC  and  routing  provide  for  the  transmission  of  information.  In  a  nutshell,  if  the 
routing  protocol  is  attacked  and  certain  routes  get  congested,  the  MAC  protocol  can  alleviate 
congestion  by  allocating  more  bandwidth  to  the  congested  nodes.  Similarly,  if  the  MAC  protocol  is 
attacked  (which  means  some  nodes  are  flooded  with  packets  that  block  reception  of  desired 
information),  the  routing  protocol  can  reroute  around  the  congested  bottlenecks.  Sensor  networks  are 
especially  interesting  as  special  cases  of  ad  hoc  networks  because  they  provide  additional  means  of 
flexibility  and  security  trade-offs. 

We  have  focused  first  on  the  perfonnance  (i.e.,  the  probability  of  correct  detection)  as  a  function  of 
how  the  sensor  data  are  processed  and  sent  on.  Specifically,  we  have  considered  the  extreme  case  in 
which  all  the  data  by  all  sensors  are  sent  to  a  single  control  node  for  processing,  versus  the  other 
extreme  case  in  which  each  sensor  performs  detection  and  transmits  only  the  result  of  its  detection. 
We  have  also  considered  the  intennediate  cases  of  each  sensor  transmitting  a  quantized  value  of  its 
local  likelihood  ratio  for  final  processing  at  the  control  node.  In  addition  to  sensing  performance 
analysis,  we  are  also  considering  the  energy  expenditures  involved  in  these  three  options  and  we  plan 
to  evaluate  the  effectiveness  of  different  threats  on  each  of  these  alternatives. 

Our  method  uses  a  novel  “coloring”  problem  that  differs  from  previously  considered  ones.  Typical 
“coloring”  problems  have  involved  the  link  activation  problem  that  minimizes  the  length  of  time 
needed  for  the  transmission  of  given  numbers  of  packets  between  pairs  of  nodes.  Some  of  these 
problems  are  NP-complete  and  others  can  be  solved  in  polynomial  time.  The  coloring  problem  that 
results  from  our  formulation  can  be  viewed  as  a  “node-group”  activation  problem  by  means  of 
identifying  sets  of  receivers  that  can  be  enabled  simultaneously  without  full  knowledge  of  the  traffic 
demands.  Our  initial  fonnulation  has  led  to  relatively  straight-forward  linear  programs  that  yield  time- 
division  schedules  for  best  “time -reuse”  across  the  network  of  a  given  set  of  receiving  nodes. 

Sensor  Networks  for  Event  Detection 

For  the  past  year,  we  have  extended  our  previous  investigation  of  a  sensor  network  as  follows: 

1.  We  have  completed  the  study  of  sequential  detection  on  the  basic  model.  To  be  specific,  we 
considered  the  distributed  scenario  of  sequential  detection,  where  the  sequential  test  is  operated  at 
each  sensor  node.  We  have  developed  the  optimal  sequential  decision  rule  at  sensor  nodes.  The 
detection  perfonnance  and  energy  consumption  of  the  sequential  detection  have  been  obtained  and 


compared  with  the  non-sequential  detection  scheme  where  the  number  of  measurements  at  sensor 
nodes  is  fixed.  We  have  demonstrated  that  the  sequential  detection  always  requires  fewer 
measurements  to  achieve  the  same  detection  performance  as  the  non-sequential  scheme;  while 
regarding  energy  efficiency,  the  comparison  of  the  two  schemes  primarily  depends  on  the  relative 
values  of  the  energy-related  parameters. 

2.  We  have  formulated  an  approach  to  model  spatially  and  temporally  correlated  sensor  network  data. 
On  one  hand  the  sensor  network  data  is  assumed  to  be  generated  in  a  probabilistic  fashion  from 
some  raw  data  of  multiple  neighboring  locations.  We  have  shown  that  spatial  correlation  decreases 
monotonically  with  distance.  In  addition  a  model  based  on  Markov  Chain  has  been  developed  to 
capture  temporal  correlation  among  measurements. 

3.  In  addition  we  have  made  some  progress  on  the  routing  issue,  where  we  have  specifically 
considered  several  potential  elements  that  may  contribute  in  the  link  metric,  including  link  length, 
hop  distance,  residual  energy,  energy-related  and  correlation-related  parameters.  We  have  also 
analyzed  the  impact  of  each  element  of  the  link  metric  on  the  ultimate  objectives  of  the  system,  i.e., 
detection  accuracy,  energy  consumption,  and  network  lifetime. 


Thrust  3: 

Distributed  Computing  Formalisms  and  Systems 

In  this  thrust  we  are  investigating  the  following  topics: 

•  Formal  methods  for  intrusion  models 

•  Formal  methods  for  automatic  testing  and  development  of  secure  routing  protocols 

•  Dynamic  topology  discovery  and  network  tomography 

•  Distributed  trust  models  for  mobile  wireless  networks 

•  Cooperative  intrusion  detection  databases  with  aggregates  on  a  shadow  security  network 

We  provide  below  descriptions  of  the  problems,  approach  undertaken,  methodology  developed  and 
used  and  results  obtained  in  each  project  and  effort  undertaken  during  this  research  project’s  reporting 
period. 

Formal  Modeling  of  Ad  Hoc  Routing  Protocols  for  Security  Analysis  and  Testing 

Model  checking  routing  protocols  for  security  flaws  may  assist  protocol  designers  by  identifying 
vulnerabilities  automatically.  However,  model  checking  has  always  suffered  from  the  state  space 
explosion  problem  as  more  details  are  added  to  the  model.  Using  symbolic  representations  in 
conjunction  with  partial  order  reduction  can  shrink  this  state  space  in  a  generic  fashion,  however,  not 
enough  to  make  this  approach  practical.  Our  new  approach  that  may  be  used  in  conjunction  with  those 
listed  above  derives  from  careful  consideration  of  timing.  The  route  discovery  flood,  and  depending 
on  the  protocol,  the  route  reply  phase,  contains  race  conditions.  Since  MAC  protocols  are 
nondeterministic,  it  is  impossible  to  pre-determine  the  results  of  such  a  race.  The  nondetenninism  can 
be  modeled  probabilistically. 

We  may  soften  the  problem  of  model  checking  to  require  that  only  a  specified  percentage  of 
executions  is  formally  established,  using  redundancy  in  implementation  to  cover  the  uncertain  aspects, 
given  that  this  percentage  is  high  enough.  Intuitively,  this  should  eliminate  many  states  because  there 


are  many  unlikely  race  outcomes.  Proceeding  along  these  ideas  leads  to  an  interesting  relationship 
between  the  probability  of  certain  causal  meshes  and  the  volume  of  a  corresponding  class  of  polytopes 
whose  half-plane  contstraint  coefficients  obey  a  shortest  path  distance  matrix.  A  tailored  version  of 
Lasserre's  dimensional  recursion  has  been  formulated,  yielding  faster  results  than  available  tools.  We 
have  also  investigated  the  integration  of  these  ideas  with  human  in  the  loop  theorem  provers. 

We  worked  intensively  on  this  analysis  by  combining  geometric  and  probabilistic  methods  for  timed 
partially  ordered  systems.  We  developed  discovery  of  graph  based  rather  than  matrix  algebra 
manipulations  for  performing  Lasserre  dimensional  recursion  for  volume  computation  that  provide  a 
10-fold  linear  speedup  over  our  original  algorithm.  Our  new  method  exploits  the  special  form  of 
constraints  that  occur  in  volumes  described  by  timed  partially  ordered  systems.  The  reason  for  this 
analysis  is  that  volume  computation  is  a  precursor  to  evaluating  probabilities  of  executions. 

We  further  extended  the  formulation  of  our  method  for  combining  timed  partially  ordered  systems  with 
Mazurkievics  trace  semantics.  This  allows  for  efficient  trace  enumeration  in  timed  partially-ordered 
systems.  We  also  formulated  a  technique  for  perfonning  symmetry  reduction  in  model  checking  for 
ad-hoc  networks,  which  we  used  in  conjunction  with  timed  partially  ordered  exploration.  Our  method 
relies  on  generating  canonical  forms  for  states  reached  based  on  network  participant  label  pennutation. 


Dynamic  and  Distributed  Trust  for  Mobile  Wireless  Ad-Hoc  Networks 


Current  and  future  military  networks  rely  on  mobile  ad-hoc  networks  (MANET),  because  of  their 
feasibility  and  flexibility  under  environments  with  rapid  changes  (connectivity,  topology,  etc)  and 
resource  (bandwidth,  energy,  computation,  etc.)  constraints.  In  the  mean  while,  the  dynamics  and 
distributed  operation  of  MANETs  pose  unique  challenges  for  network  management  and  control. 

Trust  establishment  among  communicating  nodes  (sensors,  soldiers,  vehicles,  UAVs,  satellites)  and 
trust  management  are  the  absolutely  starting  points  for  establishing  any  such  network.  They  integrate 
with  several  components  of  network  management,  such  as  risk  management,  access  control  and 
authentication.  In  MANETs,  there  is  no  fixed  and  universally  available  trusted  third  party  (TTP),  and 
trust  relations  among  nodes  are  frequently  changing  over  time.  We  conclude  that  trust  management  in 
this  new  paradigm  of  wireless  networking  should  have  the  following  essential  and  unique  properties: 
(1)  uncertainty  and  incompleteness:  Trust  evidence  is  provided  by  peers,  which  can  be  incomplete  and 
even  incorrect;  (2)  locality:  Trust  information  is  exchanged  locally  through  individual  interactions;  (3) 
distributed  computation:  Trust  evaluation  is  performed  in  a  distributed  manner. 

Future  battlefield  networks  will  involve  thousands  of  heterogeneous  nodes  operating  under  rapidly 
changing  connectivity,  and  resource  (bandwidth,  energy,  computation,  etc.)  constraints.  Mobile  Ad- 
hoc  networks  (MANET)  form  the  basis  for  current  and  future  military  networks.  Trust  and  trust 
establishment  among  communicating  nodes  (soldiers,  vehicles,  UAVs,  satellites)  and  sensor  nodes  is 
the  absolutely  starting  point  for  establishing  any  such  network.  The  essential  and  unique  properties  of 
trust  management  in  this  new  paradigm  of  wireless  networking,  as  opposed  to  traditional  centralized 
approaches  are:  (1)  Uncertainty  of  trust  value.  Trust  value  is  represented  as  subject  probability  ranging 
from  0  to  1;  (2)  Locality  in  trust  information  exchange;  (3)  Distributed  computation. 

The  main  ingredients  of  our  innovative  solution  of  the  trust  management  problem  are:  (i)  An  efficient, 
resilient,  distributed  scheme  for  distributing  trust  evidence  documents;  (ii)  A  distributed  scheme  for 
“spreading”  trust  to  validated  nodes;  (iii)  A  new  concept  of  topology  control  that  helps  trust 


propagation  (speed)  and  minimizes  resources  (number  of  links  and  bandwidth);  (iv)  Fundamental 
analytical  results,  backing  experimental  evidence  of  perfonnance,  based  on  techniques  from 
mathematical  physics  of  spin  glasses  and  phase  transitions  and  on  the  mathematics  of  dynamic 
cooperative  games  on  graphs.  Our  goal  is  to  build  a  trust  computation  model  based  only  on  local 
interactions,  and  to  investigate  the  global  effects  of  these  interactions.  We  demonstrated  how  phase 
transitions  (in  this  case  they  mean  node  transitions  from  non-trusted  to  trusted)  can  appear  within  a 
MANET.  We  linked  the  existence  and  analysis  of  such  phase  transitions  to  dynamic  cooperative 
games.  The  cooperative  game  framework  we  developed  is  useful  for  investigating  other  emergent 
properties  of  MANET :  route  connectivity,  security,  resource  allocation.  Agents  are  self-interested,  and 
usually  face  a  frustrated  interaction.  Normally  outcomes  without  cooperation  are  worse  than  those  with 
cooperation.  Thus,  it  is  desirable  to  analyze  rules  that  force  all  entities  to  cooperate.  Inspiration  for  our 
analytical  methods  comes  from  the  Ising  and  spin  glass  models  in  physics.  The  Ising  model  describes 
the  interaction  of  magnetic  moments  or  spins,  where  some  spins  seek  to  align  (ferromagnetism),  while 
others  try  to  anti-align  (antiferromagnetism).  Inspired  by  the  Ising  model,  we  developed  an  interesting 
cooperative  game,  where  nodes  in  the  network  correspond  to  spins  and  all  nodes  only  interact  with 
their  neighbors,  and  where  each  player  aims  to  maximize  his  payoff. 


We  investigated  our  solutions  to  the  problem  of  establishing  and  maintaining  trust  relations  within  a 
MANET,  in  a  manner  that  satisfies  both  the  dynamic  and  distributed  constraints  of  the  problem.  We 
investigated  the  system  model  of  distributed  trust  management.  In  particular,  two  components  have 
been  extensively  studied:  trust  evidence  distribution  and  trust  evaluation.  Two  schemes  are  proposed 
for  trust  evidence  distribution:  Freenet  based  and  swarm-intelligence  based.  The  later  one  shows  great 
potential  and  advantages  for  MANETs.  We  developed  distributed  trust  establishment  strategies  based 
only  on  local  interactions.  We  extensively  studied  several  important  properties  in  the  distributed  trust 
model,  such  as  the  phenomena  of  phase  transitions  which  are  linked  to  analytical  methods  from 
mathematical  physics  and  Markov  random  fields,  dynamics  of  trust  and  trust  revocation  propagation 
based  on  analyses  using  algebraic  graph  theory  and  the  effects  of  network  topology.  We  further  studied 
the  strong  connections  of  distributed  trust  models  and  cooperative  game  theory  on  graphs.  Our 
analyses  demonstrate  that  the  trust  mechanism  can  be  applied  as  an  incentive  to  encourage  cooperation 
under  the  selfish  environment  in  MANETs. 

In  trust  evaluation  policies,  we  developed  a  computation-based  trust  establishment  policy  interpreted 
as  “voting”  among  neighbors  who  have  direct  trust  relations  with  the  target.  Our  aim  is  to  establish 
indirect  relations  between  two  nodes  that  have  not  previously  interacted.  The  network  is  modeled  as  a 
directed  trust  graph  representing  the  trust  relations.  Our  analyses  based  on  algebraic  graph  theory 
provide  profound  implications  for  network  management.  One  important  observation  is  that  a  pure  flat 
network  can  not  achieve  the  desired  trust-connected  graph.  Therefore  we  introduced  the  notion  of 
headers  who  help  to  establish  trust  throughout  the  network.  By  studying  the  topology  of  trust  graphs 
based  on  theories  in  complex  networks,  we  found  that  providing  a  small  number  of  long-range  trust 
relations  dramatically  speeds  up  the  trust  establishment  process.  Furthermore,  a  stochastic  voting  rule 
is  studied  to  interpret  uncertainties  in  network  communications.  This  stochastic  voting  rule  is 
mathematically  modeled  as  a  Markov  chain.  We  studied  its  convergence  and  the  corresponding 
stationary  distribution  which  is  shown  to  be  a  Gibbs  distribution.  Phase  transitions  are  observed  as  the 
stochastic  voting  rule  reaches  the  stationary  state.  This  observation  emphasizes  the  necessity  of  careful 
analyses  on  any  distributed  system,  because  a  small  change  on  one  parameter  may  result  in  a  totally 
opposite  performance  of  the  whole  system. 


In  many  cases,  nodes  participating  in  MANETs  are  selfish.  However,  distributed  networks  rely  on 
cooperation  among  nodes  to  fulfill  normal  functions.  So  we  investigated  the  mechanisms  that 
encourage  nodes  to  collaborate  with  others.  Node  cooperation  is  modeled  as  a  cooperative  game, 
where  each  node  has  its  own  payoff.  Nodes  interact  with  neighbors  to  maximize  their  payoffs.  We 
proposed  two  solutions  for  cooperation.  One  is  through  neighboring  negotiations.  We  provided  a 
payoff  allocation  scheme  in  which  players  with  positive  gain  can  negotiate  with  their  neighbors  by 
sacrificing  certain  gain.  The  other  is  using  trust  as  an  incentive  to  promote  cooperation  and  circumvent 
misbehaving  nodes.  Nodes  who  refrain  from  cooperation  get  lower  trust  values,  and  they  will  be 
eventually  penalized  because  other  nodes  tend  to  only  cooperate  with  highly  trusted  ones. 

We  analyze  the  effects  of  local  interactions,  which  are  realized  by  local  policies  in  our  scheme,  on 
global  features  and  dynamics  of  the  system.  One  of  the  most  important  properties  is  the  existence  of 
trusted  paths  (i.e.  paths  where  all  nodes  are  trusted)  between  trusted  sources  and  destinations.  We 
analyzed  trust  dynamics  within  a  MANET,  i.e.  how  trust  spreads  and/or  is  revoked  between  nodes.  We 
investigated  and  answered  questions  such  as:  Does  trust  spread  to  a  maximum  set  of  nodes?  What 
parameters  speed  up  or  slow  down  this  transition? 

We  investigated  the  effects  of  the  physical  and  logical  (trust)  topologies  on  the  perfonnance  of 
distributed  trust  schemes.  The  desired  properties  are:  fast  spreading  and  fast  revocation  of  trust  even 
with  failing  nodes.  An  important  requirement  is  to  achieve  high  performance  efficiently,  which  in  the 
framework  of  MANET  translates  to  sparsity  of  the  logical  (trust)  topology.  In  this  context  we  showed 
that  topologies  with  the  so-called  “ small  world ”  characteristic  are  the  most  efficient.  This  leads  to 
simple  schemes  for  controlling  the  trust  graph  topology  so  as  to  maintain  this  desirable  characteristic. 
We  provided  interesting  interpretations  and  properties  of  these  topologies:  Nodes  few  “trust”  hops 
from  each  other;  Scalable:  local  map  is  like  global  map. 


Pathwise  Trust  Computation  for  MANET 

Trust  between  nodes  depends  on  their  past  interactions,  and  future  interactions  depend  on  established 
trust.  However,  when  two  nodes  have  had  no  direct  interaction,  they  can  base  their  trust  estimates  for 
each  other  on  other  nodes'  experiences  (second-hand  evidence).  In  this  way,  one  or  more  trust  paths 
are  formed.  We  modeled  the  situation  as  a  weighted  graph,  in  which  edges  represent  direct  trust 
relations.  We  captured  and  formalized  two  fundamental  intuitive  notions  of  trust:  First,  long  trust  paths 
are  less  reliable  than  short  ones.  Second,  many  trust  paths  are  more  reliable  than  just  a  few.  Each  trust 
relation  takes  into  account  not  only  the  amount  of  trust  that  a  node  places  on  another,  but  also  the 
amount  of  evidence  that  this  estimate  is  based  on. 

Our  formal  model  is  based  on  a  mathematical  structure  called  a  semiring.  It  allows  us  to  model  the 
trust  relations,  interpret  the  intuitive  notions  in  a  rigorous  way,  propose  algorithms  for  the  solution,  and 
analyze  their  behavior  when  problem  parameters  change.  We  have  developed  two  semirings  that 
estimate  the  (indirect)  trust  relation  between  two  nodes.  The  first  is  simpler,  more  bandwidth-efficient, 
faster,  but  less  accurate  than  the  second  since  it  bases  the  estimates  on  the  single  best  trust  path 
available.  The  second  uses  all  available  information  (weighted  according  to  its  importance),  so  the  trust 
decision  is  perfectly  accurate.  However,  it  requires  longer  waiting  times  and  more  message 
exchanging.  So,  we  have  identified  a  tradeoff  between  accuracy  and  cost  (which  quantifies  wireless 
network  constraints  such  as  limited  bandwidth  and  energy). 


We  evaluated  a  solution  that  takes  advantage  of  the  good  points  of  both  semirings.  We  keep  the 
information  that  influences  the  result  the  most.  Therefore,  we  compute  an  accurate  result,  without 
wasting  resources.  We  also  placed  great  emphasis  on  the  robustness  of  our  solution,  i.e.  what  happens 
when  malicious  nodes  infiltrate  the  system.  The  scenario  we  used  partitions  the  nodes  into  Good  and 
Bad.  Good  nodes  interact  with  other  nodes  (both  Good  and  Bad)  and  gradually  identify  their  one-hop 
neighbors  correctly.  Bad  nodes  always  give  the  worst  opinions  for  Good  nodes,  and  the  best  opinions 
for  other  Bad  nodes.  As  we  increase  the  percentage  of  Bad  nodes,  we  expect  the  situation  to  deteriorate 
but  a  graceful  degradation  is  preferred  to  a  catastrophe.  What  happens  is  that  Good  nodes  only  identify 
(Good  and  Bad)  nodes  that  are  close  to  them  (in  the  trust  graph).  They  reach  no  decision  when  it  comes 
to  nodes  that  are  many  hops  away.  Even  when  there  are  90%  Bad  nodes,  no  Bad  node  is  misidentified 
as  Good,  or  vice-versa. 

Our  model  is  expressive  enough  to  describe  the  trust  computations  of  PGP.  We  believe  that  it  can 
provide  a  platform  for  the  design  and  comparison  of  various  trust  metrics  that  can  potentially  satisfy  a 
number  of  different  constraints. 


Network  Tomography  for  Dynamic  Network  Monitoring  and  Information  Assurance 

The  fundamental  problem  addressed  by  Network  Tomography  is  to  obtain  a  spatio-temporal  picture  of 
a  network  from  end-to-end  views  and  measurements  such  as  delay  or  packet  loss.  These  measurements 
can  be  performed  in  an  active  fashion  via  probes  or  in  a  passive  fashion  (non-intrusive).  The 
implementation  can  be  either  via  unicast  or  multicast  communications.  An  interesting  such  example 
problem  involves  using  measured  end-to-end  delays,  which  can  be  thought  of  as  representing  distances 
in  a  graph.  Another  interesting  example  is  to  measure  end-to-end  packet  loss.  The  problem  is  then:  can 
we  reconstruct  the  entire  graph  from  a  subset  of  these  distances?  This  problem  is  an  example  of  an 
inverse  problem. 

A  repetitive  application  of  these  concepts  leads  to  the  problem  of  monitoring  the  status  of  a  network  by 
observations  from  the  “edge”.  A  realistic  fonnulation  of  these  problems  must  account  for  the  fact  that 
only  partial  infonnation  can  be  obtained  by  setting  up  monitors  at  a  relatively  small  subset  of  the 
nodes.  From  these  monitors,  data  can  be  collected  and  examined.  The  problem  of  discovering  the 
detailed  inner  structure  of  the  network  from  the  collection  of  end  to  end  measurements  can  be  seen  as  a 
type  of  inverse  problem,  analogous  to  those  arising  in  conventional  tomography,  but  discrete  this  time. 

One  of  the  ways  to  try  to  understand  what's  going  on,  is  to  visualize  the  directed  graph  representing  the 
network  by  laying  it  out  in  3D  hyperbolic  space  or  even  2D  hyperbolic  space,  since  in  these  spaces  the 
volume  of  a  ball  increases  exponentially  with  the  radius,  as  opposed  to  the  familiar  geometric  increase 
of  the  volume  of  a  ball  in  Euclidean  3-D  space,  respectively  2D  Euclidean  space.  We  have  developed 
an  innovative  mathematical  formulation  of  these  problems  using  this  representation  of  the  network  as 
embedded  in  the  real  hyperbolic  plane.  In  this  representation  paths  between  nodes  become  the 
geodesics  of  the  hyperbolic  geometry.  Thus  our  innovative  formulation  and  solution  methodology 
reinforce  that  the  correct  tomography  to  use  is  not  the  Euclidean  one  but  that  in  the  2-D  or  3-D  real 
hyperbolic  space. 

A  key  objective  of  our  research  is  to  obtain  computationally  efficient  algorithms  for  solving  such 
inverse  problems.  Our  approach  is  based  on  our  previous  work,  where  we  have  studied  a  classical 
inverse  problem  of  partial  differential  equations,  the  Inverse  Conductivity  Problem,  also  called  EIT 
(Electrical  Impedance  Tomography)  in  the  engineering  literature.  Our  earlier  work  demonstrated  a 


close  relation  between  tomography  and  EIT.  For  the  EIT  problem  we  have  obtained  a  very  efficient 
computationally  solution  that  involved  Radon  Transfonn  in  hyperbolic  space.  The  EIT  problems 
arising  out  of  network  tomography  problems  are  more  akin  to  discrete  electrical  network  inverse 
problems  as  those  investigated  and  solved  by  Curtis  and  Morrow.  Our  approach  combines  the  methods 
of  Curtis  and  Morrow  with  our  earlier  tomographic  methods  on  trees  and  graphs,  while  extending  these 
methods  to  probabilistic  models  and  situations. 


Dissemination  and  Discovery  of  Information  Assurance  Models  and  Data  in  Wireless  Networks 

The  proliferation  of  wireless  technologies  along  with  the  large  volume  of  data  available  online  are 
forcing  us  to  rethink  existing  data  dissemination  techniques  and  in  particular  for  aggregate  data.  In 
addition  to  scalability  and  response  time,  data  delivery  to  mobile  clients  with  wireless  connectivity 
must  also  consider  energy  consumption.  We  developed  a  hybrid  scheduling  algorithm  (DV-ES)  for 
broadcast-based  data  delivery  of  aggregate  data  over  wireless  channels.  Our  algorithm  efficiently 
“packs”  aggregate  data  for  broadcast  delivery  and  utilizes  view  subsumption  at  the  mobile  client, 
which  allow  for  faster  response  times  and  lower  energy  consumption. 

Object  location  is  a  major  part  in  the  operation  of  distributed  networks.  We  investigated  and  analyzed 
the  performance  of  several  search  methods  for  unstructured  networks.  We  analyzed  the  performance  of 
the  algorithms  relative  to  various  metrics,  giving  emphasis  on  the  success  rate,  bandwidth-efficiency 
and  adaptation  to  dynamic  network  conditions.  Simulation  results  were  used  to  empirically  evaluate 
the  behavior  of  nine  representative  schemes  under  a  variety  of  different  environments.  We  developed 
the  Adaptive  Probabilistic  Search  method  (APS).  Other  proposed  search  methods  either  depend  on 
network-disastrous  flooding  and  its  variations  or  utilize  indices  too  expensive  to  maintain.  Our  scheme 
utilized  feedback  from  previous  searches  to  probabilistically  guide  future  ones.  It  performs  efficient 
object  discovery  while  inducing  zero  overhead  over  dynamic  network  operations,  such  as  new  node 
arrivals/departures  or  object  relocation.  Extensive  simulation  results  show  that  APS  achieves  high 
success  rates,  increased  number  of  discovered  objects,  very  low  bandwidth  consumption  and  good 
adaptation  to  changing  topologies. 

We  developed  the  Adaptive  Group  Notification  (AGNO)  scheme.  AGNO  efficiently  contacts  large 
peer  populations  in  unstructured  Peer-to-Peer  networks  by  defining  a  novel  implicit  approach  towards 
group  membership  by  monitoring  demand  for  content  as  this  is  expressed  through  lookup  operations. 
AGNO  achieves  effective  and  bandwidth-efficient  content  dissemination  by  utilizing  search  indices 
and  adaptively  updating  them. 

We  considered  the  problem  of  sharing  structured  data  in  the  context  of  unstructured  ad-hoc  networks. 
Sharing  of  such  data  is  a  challenging  issue,  especially  in  the  absence  of  a  global  schema.  The  standard 
practice  of  answering  a  query  that  is  consecutively  rewritten  along  the  propagation  path  often  results  in 
significant  loss  of  information.  In  our  work,  we  present  an  adaptive  and  bandwidth-efficient  solution  to 
the  problem  in  the  context  of  an  unstructured,  purely  decentralized  system.  Our  method  allows  peers  to 
individually  choose  which  rewritten  version  of  a  query  to  answer  and  discover  infonnation-rich 
sources  left  hidden  otherwise.  Utilizing  normal  query  traffic  only,  we  describe  how  efficient  query 
routing  and  clustering  of  peers  can  be  used  to  produce  high  quality  answers.  Experimental  results 
show  that  our  technique  produces  very  accurate  answers  and  clusters  very  close  to  the  optimal  values 
by  contacting  a  very  small  number  of  nodes  inside  the  overlay. 


Finally,  we  also  propose  an  application  which  combines  research  performed  in  computer  networks, 
multimedia  databases  and  computer  vision.  Today,  more  than  ever,  monitoring  and  surveillance 
systems  play  an  important  role  in  many  aspects  of  our  lives.  Technology  plays  a  vital  role  in  our  efforts 
to  create,  store  and  analyze  vast  amounts  of  data  for  both  security  and  commercial  purposes.  We 
consider  the  problem  where  a  number  of  networks  are  interconnected.  Each  of  the  individual  nodes 
(networks)  are  collecting,  processing  and  storing  data  from  several  sensors  (cameras).  Specifically,  we 
emphasize  on  how  the  data  (images)  are  processed  by  the  individual  nodes  and  how  the  information  is 
transmitted,  so  that  queries  involving  multiple  nodes  can  be  answered.  During  this  process,  we  also 
identify  several  challenges  related  to  sharing  voluminous  content  provided  by  visual  surveillance 
devices. 


(5)  Technology  Transfer: 

We  have  developed  close  collaboration  with  scientists  from  the  Anny  Research  Laboratory  (ARL)  on 
models  for  intrusions  and  on  intrusion  detection,  as  well  as  associated  testbeds  (Dr.  Greg  Cirincione). 

We  have  developed  close  collaboration  with  personnel  from  the  Anny  Research  Laboratory  on 
physical  layer  security  for  wireless  networks  (Dr.  Brian  Sadler). 

We  collaborated  with  Fujitsu  Laboratories  of  America  in  a  joint  venture  to  work  on  a  proposal  for  the 
IEEE  802.11  ESS  Mesh  Network  Standard.  Our  main  contribution  towards  a  reliable  and  efficient 
security  mechanism  for  the  mesh  network  was  well  appreciated  and  leveraged  by  the  joint  standards 
committee.  We  have  been  invited  to  participate  in  directly  shaping  the  security  mechanism  of  the  mesh 
standard  in  the  forthcoming  months. 


We  have  held  technical  meetings  and  made  technical  presentations  on  the  results  of  our  research, 
implementations  and  tests  to  several  companies  and  Government  Laboratories. 


